Skip to content

Commit 6cb1fff

Browse files
dependabot[bot]dependabot[bot]
authored
Bump i18next-http-backend from 3.0.2 to 3.0.5 in /frontend (#1669)
Bumps [i18next-http-backend](https://github.com/i18next/i18next-http-backend) from 3.0.2 to 3.0.5. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/i18next/i18next-http-backend/blob/master/CHANGELOG.md">i18next-http-backend's changelog</a>.</em></p> <blockquote> <h3>3.0.5</h3> <p>Security release — all issues found via an internal audit. See published advisory <a href="https://github.com/i18next/i18next-http-backend/security/advisories/GHSA-q89c-q3h5-w34g">GHSA-q89c-q3h5-w34g</a>.</p> <ul> <li>security: refuse to build request URLs when <code>lng</code> or <code>ns</code> values contain path-traversal, URL-structure (<code>?</code>, <code>#</code>, <code>%</code>, <code>@</code>, whitespace), path separators, control characters, prototype keys, or exceed 128 chars. Prevents path traversal / SSRF / URL injection via attacker-controlled language-code values. <code>isSafeUrlSegment</code> is permissive for legitimate i18next language codes (any BCP-47-like shape, underscores, hyphens, dots, <code>+</code>-joined multi-language requests) (<a href="https://github.com/i18next/i18next-http-backend/security/advisories/GHSA-q89c-q3h5-w34g">GHSA-q89c-q3h5-w34g</a>)</li> <li>security: per-instance <code>omitFetchOptions</code> — the fetch-options-stripping fallback is now scoped to a single backend instance via <code>options._omitFetchOptions</code> instead of a module-level boolean. One instance hitting a &quot;not implemented&quot; fetch error no longer permanently strips <code>requestOptions</code> (including <code>credentials</code>, <code>mode</code>, <code>cache</code>) from every other backend instance in the same process</li> <li>security: strip CR/LF/NUL and other C0/C1 control characters from <code>lng</code>/<code>ns</code> / URL values before they appear in error-callback strings (CWE-117 log forging)</li> <li>security: redact <code>user:password</code> credentials from URLs before including them in error-callback strings — prevents leaking basic-auth credentials embedded in <code>loadPath</code> / <code>addPath</code></li> <li>security: iterate own enumerable keys only (<code>Object.keys</code> + prototype-key guard) in <code>addQueryString</code> and in the <code>customHeaders</code> loop in XHR mode — prevents prototype-pollution amplification into the URL and request headers</li> <li>chore: ignore <code>.env*</code> and <code>*.pem</code>/<code>*.key</code> files in <code>.gitignore</code></li> </ul> <h3>3.0.4</h3> <ul> <li>use own interpolation function for loadPath and addPath instead of relying on i18next's interpolator <a href="https://redirect.github.com/i18next/i18next/issues/2420">i18next#2420</a> — this means only <code>{{lng}}</code> and <code>{{ns}}</code> placeholders are supported; custom interpolation prefix/suffix from i18next config no longer applies to backend paths</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/i18next/i18next-http-backend/commit/5757fa3283bff31bd75e75598c3bcb44179bd892"><code>5757fa3</code></a> 3.0.5</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/4cee84f229c637b9c182366d3156f726d407a621"><code>4cee84f</code></a> security: hardening for 3.0.5</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/4cbc48741128d9b1f6cceb43edabfbec84c92615"><code>4cbc487</code></a> Bump next from 16.2.1 to 16.2.3 in /example/next (<a href="https://redirect.github.com/i18next/i18next-http-backend/issues/180">#180</a>)</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/0d7dcbb09989d358b3af9a67658469ae8ed361dc"><code>0d7dcbb</code></a> make last change more clear</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/c740e013ab5ff4ea3a71f9e0842a302bdf4147ae"><code>c740e01</code></a> year</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/e1dc72b3fb016932959d2bf796d94985baca7050"><code>e1dc72b</code></a> changelog fix</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/4dbb4851ff53b0058d8f0a254779b45c839e6c24"><code>4dbb485</code></a> 3.0.4</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/5f33a0c2d72f8f9c1e0add30b9b75a0c2edeb7b6"><code>5f33a0c</code></a> use own interpolation function for loadPath and addPath instead of relying on...</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/681c09d12ebfafef09351b784d2e7b250328879f"><code>681c09d</code></a> update ci actions</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/e63ff163717ba02c589e27fa81cc881add892fbd"><code>e63ff16</code></a> adjust deno test</li> <li>Additional commits viewable in <a href="https://github.com/i18next/i18next-http-backend/compare/v3.0.2...v3.0.5">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=i18next-http-backend&package-manager=npm_and_yarn&previous-version=3.0.2&new-version=3.0.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/evroon/bracket/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
1 parent 454bdf4 commit 6cb1fff

2 files changed

Lines changed: 10 additions & 10 deletions

File tree

frontend/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@
6262
"eslint-plugin-react-hooks": "7.0.1",
6363
"eslint-plugin-testing-library": "7.16.0",
6464
"i18next-browser-languagedetector": "8.2.1",
65-
"i18next-http-backend": "3.0.2",
65+
"i18next-http-backend": "3.0.5",
6666
"npm-check-updates": "20.0.0",
6767
"postcss": "8.5.0",
6868
"postcss-preset-mantine": "1.18.0",

frontend/pnpm-lock.yaml

Lines changed: 9 additions & 9 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)