Skip to content

build(deps): bump i18next from 26.3.4 to 26.3.5 in /api/src/main/webui#2742

Merged
MikeEdgar merged 1 commit into
mainfrom
dependabot/npm_and_yarn/api/src/main/webui/i18next-26.3.5
Jul 9, 2026
Merged

build(deps): bump i18next from 26.3.4 to 26.3.5 in /api/src/main/webui#2742
MikeEdgar merged 1 commit into
mainfrom
dependabot/npm_and_yarn/api/src/main/webui/i18next-26.3.5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 9, 2026

Copy link
Copy Markdown
Contributor

Bumps i18next from 26.3.4 to 26.3.5.

Release notes

Sourced from i18next's releases.

v26.3.5

  • fix: $t() nesting options blocks that span multiple lines are now parsed. nest() decided where the nested key ends by testing match[1] with /{.*}/, whose dot does not cross line breaks — so a $t(key, { ... }) options object containing a newline was treated as having no options, mis-split as formatters, and the nested lookup ran without its options (placeholders stayed unresolved). The nesting regexp itself already matches newlines inside $t(...); adding the s (dotAll) flag makes multiline options behave like the single-line form. Thanks @​spokodev (#2440).
  • fix: getUsedParamsDetails (the returnDetails: true path) no longer mutates the passed replace object. It wrote count straight onto options.replace so the returned usedParams would include it — a caller reusing one replace object across t() calls then carried a stale count into later interpolations (e.g. a previous call's count: 5 rendered instead of the current call's value). The details are now built from a copy; usedParams still includes count. Thanks @​spokodev (#2441).
  • fix: with the default skipOnVariables: true + escapeValue: true, a {{placeholder}} carried inside an interpolated value now stays literal even when the value contains escapable characters. The skip logic advanced the regex lastIndex by the raw value length, but the escaped text written into the string is longer, so lastIndex landed inside the inserted value and a trailing {{placeholder}} in it got interpolated — leaking another in-scope variable that should have stayed literal (values without escapable characters were already skipped correctly). The advance now uses the escaped length that is actually written, and the regex-safe $-doubling is applied only at the String.replace call so it can't distort the length arithmetic. Thanks @​spokodev (#2442).
Changelog

Sourced from i18next's changelog.

26.3.5

  • fix: $t() nesting options blocks that span multiple lines are now parsed. nest() decided where the nested key ends by testing match[1] with /{.*}/, whose dot does not cross line breaks — so a $t(key, { ... }) options object containing a newline was treated as having no options, mis-split as formatters, and the nested lookup ran without its options (placeholders stayed unresolved). The nesting regexp itself already matches newlines inside $t(...); adding the s (dotAll) flag makes multiline options behave like the single-line form. Thanks @​spokodev (#2440).
  • fix: getUsedParamsDetails (the returnDetails: true path) no longer mutates the passed replace object. It wrote count straight onto options.replace so the returned usedParams would include it — a caller reusing one replace object across t() calls then carried a stale count into later interpolations (e.g. a previous call's count: 5 rendered instead of the current call's value). The details are now built from a copy; usedParams still includes count. Thanks @​spokodev (#2441).
  • fix: with the default skipOnVariables: true + escapeValue: true, a {{placeholder}} carried inside an interpolated value now stays literal even when the value contains escapable characters. The skip logic advanced the regex lastIndex by the raw value length, but the escaped text written into the string is longer, so lastIndex landed inside the inserted value and a trailing {{placeholder}} in it got interpolated — leaking another in-scope variable that should have stayed literal (values without escapable characters were already skipped correctly). The advance now uses the escaped length that is actually written, and the regex-safe $-doubling is applied only at the String.replace call so it can't distort the length arithmetic. Thanks @​spokodev (#2442).
Commits
  • 573ae73 26.3.5
  • cc54b05 docs(changelog): 26.3.5 — multiline $t() options, replace mutation, escaped-l...
  • 3180d67 fix: skip interpolation of placeholders inside escaped values (#2442)
  • d16f5a2 fix: stop mutating the passed replace object when returning details (#2441)
  • bed56c1 fix: parse $t() nesting options block that spans multiple lines (#2440)
  • c19e458 docs(changelog): link GHSA advisory for deepExtend fix
  • 7bb87d0 docs(changelog): reference security advisory for deepExtend fix
  • df9b799 docs(changelog): update security disclosure credit
  • See full diff in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jul 9, 2026
@github-actions github-actions Bot added this to the 0.13.0 milestone Jul 9, 2026
@MikeEdgar
MikeEdgar enabled auto-merge (squash) July 9, 2026 08:35
Bumps [i18next](https://github.com/i18next/i18next) from 26.3.4 to 26.3.5.
- [Release notes](https://github.com/i18next/i18next/releases)
- [Changelog](https://github.com/i18next/i18next/blob/master/CHANGELOG.md)
- [Commits](i18next/i18next@v26.3.4...v26.3.5)

---
updated-dependencies:
- dependency-name: i18next
  dependency-version: 26.3.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/api/src/main/webui/i18next-26.3.5 branch from ea9a3a4 to 6b2261e Compare July 9, 2026 12:31
@sonarqubecloud

sonarqubecloud Bot commented Jul 9, 2026

Copy link
Copy Markdown

@MikeEdgar
MikeEdgar merged commit bf21867 into main Jul 9, 2026
9 checks passed
@MikeEdgar
MikeEdgar deleted the dependabot/npm_and_yarn/api/src/main/webui/i18next-26.3.5 branch July 9, 2026 13:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant