fix(deps): update dependency vue-i18n to v9.14.5 [security] (#64)

This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
|
[vue-i18n](https://redirect.github.com/intlify/vue-i18n/tree/master/packages/vue-i18n#readme)
([source](https://redirect.github.com/intlify/vue-i18n/tree/HEAD/packages/vue-i18n))
| [`9.14.4` ->
`9.14.5`](https://renovatebot.com/diffs/npm/vue-i18n/9.14.4/9.14.5) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/vue-i18n/9.14.5?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vue-i18n/9.14.4/9.14.5?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-53892](https://redirect.github.com/intlify/vue-i18n/security/advisories/GHSA-x8qp-wqqm-57ph)

### Summary
The escapeParameterHtml: true option in Vue I18n is designed to protect
against HTML/script injection by escaping interpolated parameters.
However, this setting fails to prevent execution of certain tag-based
payloads, such as `<img src=x onerror=...>`, if the interpolated value
is inserted inside an HTML context using v-html.

This may lead to a DOM-based XSS vulnerability, even when using
escapeParameterHtml: true, if a translation string includes minor HTML
and is rendered via v-html.

### Details

When escapeParameterHtml: true is enabled, it correctly escapes common
injection points.

However, it does not sanitize entire attribute contexts, which can be
used as XSS vectors via:

`<img src=x onerror=alert(1)>
`

### PoC
In your Vue I18n configuration:

```
const i18n = createI18n({
  escapeParameterHtml: true,
  messages: {
    en: {
      vulnerable: 'Caution: <img src=x onerror="{payload}">'
    }
  }
});
```
Use this interpolated payload:

`const payload = '<script>alert("xss")</script>';`
Render the translation using v-html (even not using v-html):

`<p v-html="$t('vulnerable', { payload })"></p>
`
Expected: escaped content should render as text, not execute.

Actual: script executes in some environments (or the payload is
partially parsed as HTML).

### Impact

This creates a DOM-based Cross-Site Scripting (XSS) vulnerability
despite enabling a security option (escapeParameterHtml) .

---

### Release Notes

<details>
<summary>intlify/vue-i18n (vue-i18n)</summary>

###
[`v9.14.5`](https://redirect.github.com/intlify/vue-i18n/releases/tag/v9.14.5)

[Compare
Source](https://redirect.github.com/intlify/vue-i18n/compare/v9.14.4...v9.14.5)

<!-- Release notes generated using configuration in .github/release.yml
at v9.14.5 -->

#### What's Changed

##### 🔒 Security Fixes

- fix: DOM-based XSS via tag attributes for escape parameter by
[@&#8203;kazupon](https://redirect.github.com/kazupon) in
[https://github.com/intlify/vue-i18n/pull/2230](https://redirect.github.com/intlify/vue-i18n/pull/2230)

**Full Changelog**:
intlify/vue-i18n@v9.14.4...v9.14.5

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone UTC, Automerge - At any
time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS40Ni4zIiwidXBkYXRlZEluVmVyIjoiNDEuNDYuMyIsInRhcmdldEJyYW5jaCI6ImRlcHMtbWFpbiIsImxhYmVscyI6WyJub2RlanMiLCJyZW5vdmF0ZSJdfQ==-->

Co-authored-by: Renovate Bot <renovate@whitesourcesoftware.com>

Author: a-klos