Skip to content

chore(deps): bump the rest group across 1 directory with 26 updates#3160

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/rest-fbd2cb1bd9
Open

chore(deps): bump the rest group across 1 directory with 26 updates#3160
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/rest-fbd2cb1bd9

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 6, 2026

Copy link
Copy Markdown
Contributor

Bumps the rest group with 26 updates in the / directory:

Package From To
countly-sdk-nodejs 20.11.0 24.10.4
electron-serve 1.1.0 3.0.1
electron-store 8.1.0 11.0.2
fix-path 3.0.0 5.0.0
fs-extra 10.1.0 11.3.6
i18next 21.8.14 26.3.5
i18next-fs-backend 1.1.4 2.6.6
i18next-icu 2.0.3 2.4.4
intl-messageformat 9.13.0 11.2.10
ipfs-http-client 56.0.2 60.0.1
ipfsd-ctl 10.0.6 17.0.0
it-last 1.0.6 3.0.11
portfinder 1.0.32 1.0.38
untildify 4.0.0 6.0.0
winston 3.7.2 3.19.0
@electron/notarize 1.2.3 3.1.1
@ipfs-shipyard/release-please-ipfs-plugin 1.0.1 1.1.0
dotenv 16.4.5 17.4.2
got 12.1.0 15.1.0
patch-package 6.5.1 8.0.1
pre-commit 1.2.2 2.0.0
semver-regex 3.1.4 4.0.5
shx 0.3.4 0.4.0
standard 16.0.4 17.1.2
tmp 0.2.3 0.2.7
ts-standard 11.0.0 12.0.2

Updates countly-sdk-nodejs from 20.11.0 to 24.10.4

Release notes

Sourced from countly-sdk-nodejs's releases.

Countly NodeJS SDK 24.10.4

  • Added a new init time flag salt for request tampering protection (should be used in tandem with server options)

Countly NodeJS SDK 24.10.3

  • Added support for uploading user images by providing path to the local image using picturePath parameter in user_details method (non-bulk)
  • Reduced SDK log verbosity

Countly NodeJS SDK 24.10.2

  • Added timezone support for server

Countly NodeJS SDK 24.10.1

  • Added a new method set_id(newDeviceId) for managing device ID changes according to the device ID Type
  • Added DeviceIdType enums to be used to evaluate the device ID type.
  • Added reserved keys for user properties

Countly NodeJS SDK 24.10.0

  • Default max segmentation value count changed from 30 to 100
  • Mitigated an issue where SDK could create an unintended dump file
  • Added a new init time config option (storage_type) which can make user set the SDK storage option:
    • File Storage
    • Memory Only Storage
  • Added a new init time config option (custom_storage_method) which enables user to provide custom storage methods

Countly NodeJS SDK 22.06.0

  • Fixed a bug where remote config requests were rejected
  • Fixed a bug where empty storage object did cause some issues

Countly NodeJS SDK 22.02.0

  • !! Major breaking change !! Device ID provided during the init will be ignored if a device ID was provided previously
  • Added a new init time flag which erases the previously stored device ID. This allows to set new device ID during init
  • Added a call to get the device ID type of the user
  • Added a call to get the device ID of the user
  • Now it appends the device ID type with each request

Countly NodeJS SDK 21.11.0

  • !! Major breaking change !! Changing device ID without merging will now clear the current consent. Consent has to be given again after performing this action.
  • ! Minor breaking change ! Multiple values now have a default limit adjustable at initialization:
    • Maximum size of all string keys is now 128 characters by default.
    • Maximum size of all values in key-value pairs is now 256 characters by default.
    • Maximum amount of segmentation in one event is mow 30 key-value pairs by default.
    • Maximum amount of breadcrumbs that can be recorded at once is now 100 by default.
    • Maximum stack trace lines per thread is now 30 by default.
    • Maximum stack trace line length is now 200 by default.
  • ! Minor breaking change ! After initialization, the logging/debugging mode can only be changed with Countly.setLoggingEnabled instead of Countly.debug now.
  • When recording internal events with 'add_event', the respective feature consent will now be checked instead of just the 'events' consent.
  • Fixed a bug where the SDK throws a Bulk user storage exception due to a missing folder
  • Increased the default max event batch size to 100.
  • Logs are now color coded and indicate log levels.
Changelog

Sourced from countly-sdk-nodejs's changelog.

24.10.4

  • Added a new init time flag salt for request tampering protection (should be used in tandem with server options)

24.10.3

  • Added support for uploading user images by providing path to the local image using picturePath parameter in user_details method (non-bulk)
  • Reduced SDK log verbosity

24.10.2

  • Added timezone support for server

24.10.1

  • Added a new method set_id(newDeviceId) for managing device ID changes according to the device ID Type
  • Added DeviceIdType enums to be used to evaluate the device ID type.
  • Added reserved keys for user properties

24.10.0

  • Default max segmentation value count changed from 30 to 100
  • Mitigated an issue where SDK could create an unintended dump file
  • Added a new init time config option (conf.storage_type) which can make user set the SDK storage option:
    • File Storage
    • Memory Only Storage
  • Added a new init time config option (conf.custom_storage_method) which enables user to provide custom storage methods

22.06.0

  • Fixed a bug where remote config requests were rejected
  • Fixed a bug where empty storage object did cause some issues

22.02.0

  • !! Major breaking change !! Device ID provided during the init will be ignored if a device ID was provided previously
  • Added a new init time flag which erases the previously stored device ID. This allows to set new device ID during init
  • Added a call to get the device ID type of the user
  • Added a call to get the device ID of the user
  • Now it appends the device ID type with each request

21.11.0

  • !! Major breaking change !! Changing device ID without merging will now clear the current consent. Consent has to be given again after performing this action.
  • ! Minor breaking change ! Multiple values now have a default limit adjustable at initialization:
    • Maximum size of all string keys is now 128 characters by default.
    • Maximum size of all values in key-value pairs is now 256 characters by default.
    • Maximum amount of segmentation in one event is mow 30 key-value pairs by default.
    • Maximum amount of breadcrumbs that can be recorded at once is now 100 by default.
    • Maximum stack trace lines per thread is now 30 by default.
    • Maximum stack trace line length is now 200 by default.
  • ! Minor breaking change ! After initialization, the logging/debugging mode can only be changed with Countly.setLoggingEnabled instead of Countly.debug now.
  • When recording internal events with 'add_event', the respective feature consent will now be checked instead of just the 'events' consent.
  • Fixed a bug where the SDK throws a Bulk user storage exception due to a missing folder
  • Increased the default max event batch size to 100.
  • Logs are now color coded and indicate log levels.

20.11

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by turtledreams, a new releaser for countly-sdk-nodejs since your current version.


Updates electron-serve from 1.1.0 to 3.0.1

Release notes

Sourced from electron-serve's releases.

v3.0.1

  • Fix: Batch scheme registrations into a single call f773dd5

sindresorhus/electron-serve@v3.0.0...v3.0.1

v3.0.0

Breaking

  • Require Electron 37 and Node.js 20 184e818

Improvements

  • Make directory option optional with default value 09b1909
  • Fix source maps support for Chrome DevTools e666c5d
  • Replace deprecated registerFileProtocol with protocol.handle 7c429e7

sindresorhus/electron-serve@v2.1.1...v3.0.0

v2.1.1

  • Fix loading directory specified by relative path (#45) 633af66

sindresorhus/electron-serve@v2.1.0...v2.1.1

v2.1.0

  • Improve path resolution (credit to Alan Li) d72acb3

sindresorhus/electron-serve@v2.0.0...v2.1.0

v2.0.0

Breaking

  • Require Node.js 18 and Electron 30 a2a542c
  • This package is now pure ESM. Please read this and this.

sindresorhus/electron-serve@v1.3.0...v2.0.0

v1.3.0

  • Support search parameteres in the loadUrl method (#37) 7ae7d43
  • Support loading an HTML file with a custom name (#36) c307a57

sindresorhus/electron-serve@v1.2.0...v1.3.0

v1.2.0

sindresorhus/electron-serve@v1.1.0...v1.2.0

Commits
  • d1d76d2 3.0.1
  • f773dd5 Batch scheme registrations into a single call
  • 1b44e42 3.0.0
  • 7e03781 Minor tweaks
  • d990353 Add docs for serving multiple windows with different content
  • 09b1909 Make directory option optional with default value
  • 184e818 Require Electron 37 and Node.js 20
  • e666c5d Fix source maps support for Chrome DevTools
  • b54ab25 Document ES modules support
  • 7c429e7 Replace deprecated registerFileProtocol with protocol.handle
  • Additional commits viewable in compare view

Updates electron-store from 8.1.0 to 11.0.2

Release notes

Sourced from electron-store's releases.

v11.0.2

  • Update dependencies ccf6f15

sindresorhus/electron-store@v11.0.1...v11.0.2

v11.0.1

  • Update dependencies (#297) 8ecbb6b

sindresorhus/electron-store@v11.0.0...v11.0.1

v11.0.0


sindresorhus/electron-store@v10.1.0...v11.0.0

v10.1.0

  • Update dependencies dcf42b7

sindresorhus/electron-store@v10.0.1...v10.1.0

v10.0.1

  • Fix importing electron abc1d2f

sindresorhus/electron-store@v10.0.0...v10.0.1

v10.0.0

Breaking

This is only a breaking change if you use the schema option.

sindresorhus/electron-store@v9.0.0...v10.0.0

v9.0.0

Breaking

  • Require Node.js 20 and Electron 30 7ddf0c6
  • This package is now pure ESM. Please read this and this.

... (truncated)

Commits

Updates fix-path from 3.0.0 to 5.0.0

Release notes

Sourced from fix-path's releases.

v5.0.0

Breaking

  • Require Node.js 20 df5a5c1

Fixes

  • Fix ANSI escape sequences in PATH environment variable 59d681f

sindresorhus/fix-path@v4.0.0...v5.0.0

v4.0.0

Breaking

  • Require Node.js 12.20 8968c9b
  • This package is now pure ESM. Please read this.

Improvements

  • Add support for Linux 5f0a1a2

sindresorhus/fix-path@v3.0.0...v4.0.0

Commits

Updates fs-extra from 10.1.0 to 11.3.6

Changelog

Sourced from fs-extra's changelog.

11.3.6 / 2026-06-29

  • Fix handling of symlinked destination ancestors in copy/move methods (#1071, #1073)
  • Docs typo fixed (#1074)

11.3.5 / 2026-05-06

  • Fix ensureLink*/ensureSymlink* identical file detection on Windows (#1068)
  • Fix error handling in timestamp preservation code (#1065, #1069)
  • Fix potential file descriptor leak on error in synchronous timestamp preservation code (#1066)

11.3.4 / 2026-03-03

  • Fix bug where calling ensureSymlink/ensureSymlinkSync with a relative srcPath would fail if the symlink already existed (#1038, #1064)

11.3.3 / 2025-12-18

  • Fix copying symlink when destination is a symlink to the same target (#1019, #1060)

11.3.2 / 2025-09-15

  • Fix spurrious UnhandledPromiseRejectionWarning that could occur when calling .copy() in some cases (#1056, #1058)

11.3.1 / 2025-08-05

  • Fix case where move/moveSync could incorrectly think files are identical on Windows (#1050)

11.3.0 / 2025-01-15

  • Add promise support for newer fs methods (#1044, #1045)
  • Use fs.opendir in copy()/copySync() for better perf/scalability (#972, #1028)

11.2.0 / 2023-11-27

  • Copy directory contents in parallel for better performance (#1026)
  • Refactor internal code to use async/await (#1020)

11.1.1 / 2023-03-20

  • Preserve timestamps when moving files across devices (#992, #994)

... (truncated)

Commits

Updates i18next from 21.8.14 to 26.3.5

Release notes

Sourced from i18next's releases.

v26.3.5

  • fix: $t() nesting options blocks that span multiple lines are now parsed. nest() decided where the nested key ends by testing match[1] with /{.*}/, whose dot does not cross line breaks — so a $t(key, { ... }) options object containing a newline was treated as having no options, mis-split as formatters, and the nested lookup ran without its options (placeholders stayed unresolved). The nesting regexp itself already matches newlines inside $t(...); adding the s (dotAll) flag makes multiline options behave like the single-line form. Thanks @​spokodev (#2440).
  • fix: getUsedParamsDetails (the returnDetails: true path) no longer mutates the passed replace object. It wrote count straight onto options.replace so the returned usedParams would include it — a caller reusing one replace object across t() calls then carried a stale count into later interpolations (e.g. a previous call's count: 5 rendered instead of the current call's value). The details are now built from a copy; usedParams still includes count. Thanks @​spokodev (#2441).
  • fix: with the default skipOnVariables: true + escapeValue: true, a {{placeholder}} carried inside an interpolated value now stays literal even when the value contains escapable characters. The skip logic advanced the regex lastIndex by the raw value length, but the escaped text written into the string is longer, so lastIndex landed inside the inserted value and a trailing {{placeholder}} in it got interpolated — leaking another in-scope variable that should have stayed literal (values without escapable characters were already skipped correctly). The advance now uses the escaped length that is actually written, and the regex-safe $-doubling is applied only at the String.replace call so it can't distort the length arithmetic. Thanks @​spokodev (#2442).

v26.3.4

  • fix(security): deepExtend (used by addResourceBundle(..., deep, overwrite)) no longer recurses into inherited properties. It checked key existence with the in operator, which walks the prototype chain, so a source key matching an inherited built-in (e.g. hasOwnProperty, toString) caused recursion into the shared Object.prototype function and, with overwrite: true, could overwrite e.g. Object.prototype.hasOwnProperty.call with a non-callable value — corrupting a shared built-in process-wide (DoS). Existence is now checked with Object.prototype.hasOwnProperty.call, so such keys are copied as plain own data instead. This complements the existing __proto__/constructor guard and is also strictly more correct for an own-property merge. Only affects applications that pass attacker-controlled data with deep: true and overwrite: true; no standard backend/integration does this. Distinct from CVE-2026-48713 / CVE-2026-48714 (different packages, setPath mechanism). Thanks to zx (Jace) for the responsible disclosure.

v26.3.3

  • fix(types): selector t($ => $.arr, { returnObjects: true, context }) on a JSON array of heterogeneous objects now preserves each element's full shape (e.g. { transKey1: string; transKey2: string }[]) instead of collapsing to a union of partial element types. Two type-level causes: (1) FilterKeys evaluated the whole array element type at once, so keyof (A | B) only saw the keys common to every element — it now distributes over the object union and filters each element independently; (2) when TypeScript merges mismatched array element types it injects phantom optional undefined keys (e.g. transKey1_withContext?: undefined on elements that don't define it), which the context-detection helpers mistook for real context variants — they now skip keys typed as undefined. Also adds a dedicated context + returnObjects: true selector overload using const Fn + ReturnType<Fn>, so Target is no longer collapsed to unknown via ApplyTarget. Resolves Problem 1 of #2398 (Problem 2 was already fixed on master). Thanks @​sauravgupta-dotcom (#2438). Fixes #2398.

v26.3.2

  • fix: chained formatters with a parenthesised option that contains the format separator (e.g. join(separator: ', ')) now work at any position in the chain, not just first. Previously the comma-in-parens reassembly only repaired formats[0], so {{v, uppercase, join(separator: ', ')}} split the join(...) option on the inner comma and never rejoined it, producing corrupt output. Replaced the first-position-only repair with a position-independent pass that re-joins fragments until each open paren closes. Thanks @​spokodev (#2437).

v26.3.1

  • fix(types): t() with a keyPrefix no longer pollutes its return type with sibling keys' values. A regression in 26.3.0 — the [Res] extends [never] guards added to KeysBuilderWithReturnObjects / KeysBuilderWithoutReturnObjects turned the builders into deferred conditional types, so KeyPrefix<Ns> stopped resolving to a literal union and keyPrefix inference widened to the whole namespace. Symptom: useTranslation(ns, { keyPrefix: 'a.b' }) then t('title') would resolve to '<a.b>.title' | '<other.path>.title' | ... instead of just the scoped value. Affected every react-i18next user using keyPrefix. Restored to the eager 26.2.0 form. The same-namespace conflict handling from #2434 still works via _DropConflictKeys at the merge layer (in options.d.ts). Thanks @​aaronrosenthal (#2436).

v26.3.0

  • feat(types): introduce ResourceNamespaceMap — a separate mergeable augmentation surface for namespace resource types, designed for monorepos where multiple packages each want to contribute their own namespaces. Previously, every package had to coordinate on a single CustomTypeOptions.resources declaration (or fall back to typing dependency namespaces as any) because resources is a single property of an interface and TypeScript reports TS2717 when two declarations of the same property disagree. The new interface merges naturally across declare module 'i18next' blocks, so each package can ship its own i18next.d.ts independently. Per-property merge handles same-namespace contributions from multiple packages, and same-key/different-literal conflicts are silently dropped to avoid poisoning t() overload resolution. Fully backwards-compatible — existing CustomTypeOptions.resources augmentations continue to work, and both surfaces can coexist. Scalar options (defaultNS, returnNull, enableSelector, etc.) still belong on CustomTypeOptions. Thanks @​sh3xu (#2434). Fixes #2409.

v26.2.0

  • feat(types): new parseInterpolation TypeOption (default true). When set to false in CustomTypeOptions, the type-level extractor stops parsing translation strings for {{variable}} patterns. Required by i18next-icu users — the default extractor mistakes ICU MessageFormat nested-brace plurals like {count, plural, one {{count} row} other {{count} rows}} for an interpolation block and demands a phantom variable name. The flag is type-only; runtime interpolation is governed by InterpolationOptions and is unaffected. Fixes i18next-icu#85.
  • fix(types): expose enableSelector on InitOptions so i18next.init({ enableSelector: 'strict' }) typechecks without a module augmentation. The runtime already reads opts?.enableSelector from init options; this lands the matching type declaration next to the other selector-resolution knobs. Accepts false | true | 'optimize' | 'strict'. Thanks @​Faithfinder (#2431)

v26.1.0

  • feat: enableSelector: 'strict' (TypeOptions + runtime option). Opt-in mode that drops the flattened-primary form from NsResource at the type level — every namespace (primary included) is exposed only under its own key on $, uniformly across single- and multi-ns hooks. At runtime, a leading selector path segment matching the scope's namespace list is always rewritten as a namespace prefix, including the primary. Eliminates the silent-miss surface area where t($ => $.primary.foo) typechecks but doesn't resolve under the default mode (see #2429). Backward-compatible: default enableSelector: false | true | 'optimize' behavior is unchanged. Note: strict mode is incompatible with the #2405 pattern (keys whose names match sibling namespaces) — those users should stay on default mode.

v26.0.10

  • feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

v26.0.9

  • fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

v26.0.8

  • fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

v26.0.7

  • fix: when a plural lookup misses, the missingKey debug log now shows the actual plural-resolved key (e.g. foo.bar_many for Polish count: 14) instead of the base key — making it obvious which plural category was expected and missing 2423
  • chore: drop @babel/runtime runtime dependency. The build no longer generates any @babel/runtime imports, so the package is unused by consumers. Rollup now uses babelHelpers: 'bundled' so any helpers that are ever needed in the future will be inlined rather than imported externally 2424
  • chore: stop emitting dist/esm/i18next.bundled.js. It was byte-identical to dist/esm/i18next.js because no helpers were being imported 2424

v26.0.6

Security release — all issues found via an internal audit. GHSA advisory filed after release.

  • security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security docs for mitigation guidance (GHSA-TBD)
  • security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
  • security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)
  • chore: ignore .env* and *.pem/*.key files in .gitignore

v26.0.5

... (truncated)

Changelog

Sourced from i18next's changelog.

26.3.5

  • fix: $t() nesting options blocks that span multiple lines are now parsed. nest() decided where the nested key ends by testing match[1] with /{.*}/, whose dot does not cross line breaks — so a $t(key, { ... }) options object containing a newline was treated as having no options, mis-split as formatters, and the nested lookup ran without its options (placeholders stayed unresolved). The nesting regexp itself already matches newlines inside $t(...); adding the s (dotAll) flag makes multiline options behave like the single-line form. Thanks @​spokodev (#2440).
  • fix: getUsedParamsDetails (the returnDetails: true path) no longer mutates the passed replace object. It wrote count straight onto options.replace so the returned usedParams would include it — a caller reusing one replace object across t() calls then carried a stale count into later interpolations (e.g. a previous call's count: 5 rendered instead of the current call's value). The details are now built from a copy; usedParams still includes count. Thanks @​spokodev (#2441).
  • fix: with the default skipOnVariables: true + escapeValue: true, a {{placeholder}} carried inside an interpolated value now stays literal even when the value contains escapable characters. The skip logic advanced the regex lastIndex by the raw value length, but the escaped text written into the string is longer, so lastIndex landed inside the inserted value and a trailing {{placeholder}} in it got interpolated — leaking another in-scope variable that should have stayed literal (values without escapable characters were already skipped correctly). The advance now uses the escaped length that is actually written, and the regex-safe $-doubling is applied only at the String.replace call so it can't distort the length arithmetic. Thanks @​spokodev (#2442).

26.3.4

  • fix(security): deepExtend (used by addResourceBundle(..., deep, overwrite)) no longer recurses into inherited properties. It checked key existence with the in operator, which walks the prototype chain, so a source key matching an inherited built-in (e.g. hasOwnProperty, toString) caused recursion into the shared Object.prototype function and, with overwrite: true, could overwrite e.g. Object.prototype.hasOwnProperty.call with a non-callable value — corrupting a shared built-in process-wide (DoS). Existence is now checked with Object.prototype.hasOwnProperty.call, so such keys are copied as plain own data instead. This complements the existing __proto__/constructor guard and is also strictly more correct for an own-property merge. Only affects applications that pass attacker-controlled data with deep: true and overwrite: true; no standard backend/integration does this. Distinct from CVE-2026-48713 / CVE-2026-48714 (different packages, setPath mechanism). See advisory GHSA-6jcc-5g8w-32mx, CVSS 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H). Thanks to zx (Jace) @​manus-use for the responsible disclosure.

26.3.3

  • fix(types): selector t($ => $.arr, { returnObjects: true, context }) on a JSON array of heterogeneous objects now preserves each element's full shape (e.g. { transKey1: string; transKey2: string }[]) instead of collapsing to a union of partial element types. Two type-level causes: (1) FilterKeys evaluated the whole array element type at once, so keyof (A | B) only saw the keys common to every element — it now distributes over the object union and filters each element independently; (2) when TypeScript merges mismatched array element types it injects phantom optional undefined keys (e.g. transKey1_withContext?: undefined on elements that don't define it), which the context-detection helpers mistook for real context variants — they now skip keys typed as undefined. Also adds a dedicated context + returnObjects: true selector overload using const Fn + ReturnType<Fn>, so Target is no longer collapsed to unknown via ApplyTarget. Resolves Problem 1 of #2398 (Problem 2 was already fixed on master). Thanks @​sauravgupta-dotcom (#2438). Fixes #2398.

26.3.2

  • fix: chained formatters with a parenthesised option that contains the format separator (e.g. join(separator: ', ')) now work at any position in the chain, not just first. Previously the comma-in-parens reassembly only repaired formats[0], so {{v, uppercase, join(separator: ', ')}} split the join(...) option on the inner comma and never rejoined it, producing corrupt output. Replaced the first-position-only repair with a position-independent pass that re-joins fragments until each open paren closes. Thanks @​spokodev (#2437).

26.3.1

  • fix(types): t() with a keyPrefix no longer pollutes its return type with sibling keys' values. A regression in 26.3.0 — the [Res] extends [never] guards added to KeysBuilderWithReturnObjects / KeysBuilderWithoutReturnObjects turned the builders into deferred conditional types, so KeyPrefix<Ns> stopped resolving to a literal union and keyPrefix inference widened to the whole namespace. Symptom: useTranslation(ns, { keyPrefix: 'a.b' }) then t('title') would resolve to '<a.b>.title' | '<other.path>.title' | ... instead of just the scoped value. Affected every react-i18next user using keyPrefix. Restored to the eager 26.2.0 form. The same-namespace conflict handling from #2434 still works via _DropConflictKeys at the merge layer (in options.d.ts). Thanks @​aaronrosenthal (#2436).

26.3.0

  • feat(types): introduce ResourceNamespaceMap — a separate mergeable augmentation surface for namespace resource types, designed for monorepos where multiple packages each want to contribute their own namespaces. Previously, every package had to coordinate on a single CustomTypeOptions.resources declaration (or fall back to typing dependency namespaces as any) because resources is a single property of an interface and TypeScript reports TS2717 when two declarations of the same property disagree. The new interface merges naturally across declare module 'i18next' blocks, so each package can ship its own i18next.d.ts independently. Per-property merge handles same-namespace contributions from multiple packages, and same-key/different-literal conflicts are silently dropped to avoid poisoning t() overload resolution. Fully backwards-compatible — existing CustomTypeOptions.resources augmentations continue to work, and both surfaces can coexist. Scalar options (defaultNS, returnNull, enableSelector, etc.) still belong on CustomTypeOptions. Thanks @​sh3xu (#2434). Fixes #2409.

26.2.0

  • feat(types): new parseInterpolation TypeOption (default true). When set to false in CustomTypeOptions, the type-level extractor stops parsing translation strings for {{variable}} patterns. Required by i18next-icu users — the default extractor mistakes ICU MessageFormat nested-brace plurals like {count, plural, one {{count} row} other {{count} rows}} for an interpolation block and demands a phantom variable name. The flag is type-only; runtime interpolation is governed by InterpolationOptions and is unaffected. Fixes i18next-icu#85.
  • fix(types): expose enableSelector on InitOptions so i18next.init({ enableSelector: 'strict' }) typechecks without a module augmentation. The runtime already reads opts?.enableSelector from init options; this lands the matching type declaration next to the other selector-resolution knobs. Accepts false | true | 'optimize' | 'strict'. Thanks @​Faithfinder (#2431)

26.1.0

  • feat: enableSelector: 'strict' (TypeOptions + runtime option). Opt-in mode that drops the flattened-primary form from NsResource at the type level — every namespace (primary included) is exposed only under its own key on $, uniformly across single- and multi-ns hooks. At runtime, a leading selector path segment matching the scope's namespace list is always rewritten as a namespace prefix, including the primary. Eliminates the silent-miss surface area where t($ => $.primary.foo) typechecks but doesn't resolve under the default mode (see #2429). Backward-compatible: default enableSelector: false | true | 'optimize' behavior is unchanged. Note: strict mode is incompatible with the #2405 pattern (keys whose names match sibling namespaces) — those users should stay on default mode.

26.0.10

  • feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

26.0.9

  • fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

26.0.8

  • fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

26.0.7

  • fix: when a plural lookup misses, the missingKey debug log now shows the actual plural-resolved key (e.g. foo.bar_many for Polish count: 14) instead of the base key — making it obvious which plural category was expected and missing 2423

... (truncated)

Commits
  • 573ae73 26.3.5
  • cc54b05 docs(changelog): 26.3.5 — multiline $t() options, replace mutation, escaped-l...
  • 3180d67 fix: skip interpolation of placeholders inside escaped values (#2442)
  • d16f5a2 fix: stop mutating the passed replace object when returning details (#2441)
  • bed56c1 fix: parse $t() nesting options block that spans multiple lines (#2440)
  • c19e458 docs(changelog): link GHSA advisory for deepExtend fix
  • 7bb87d0 docs(changelog): reference security advisory for deepExtend fix
  • df9b799 docs(changelog): update security disclosure credit
  • 817ede5 26.3.4
  • 46d0dd8 build
  • Additional commits viewable in compare view
Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates i18next-fs-backend from 1.1.4 to 2.6.6

Changelog

Sourced from i18next-fs-backend's changelog.

2.6.6

Security release — coordinated disclosure from @​codeswhite. See published advisory GHSA-2933-q333-qg83.

  • security: guard the in-memory setPath / pushPath traversal (utils.getLastOfPath) against prototype pollution via crafted missing-key strings. 2.6.4 sanitised lng/ns interpolation into filesystem paths, but did not cover the JSON-object walk that writeFile() performs on each queued missing-key entry: with the default keySeparator: '.', a key like __proto__.polluted was split into ['__proto__','polluted'] and walked straight into Object.prototype. The traversal helper now refuses to descend through __proto__, constructor, or prototype segments and drops the offending write silently; legitimate dotted keys (header.title) are unaffected. Reachable in practice via i18next-http-middleware's missingKeyHandler when exposed to untrusted input — see also the matching defence-in-depth fix in i18next-http-middleware 3.9.7. Credit: @​codeswhite (GHSA-2933-q333-qg83).

2.6.5

  • fix: allow forward slashes in ns values so nested namespace names (mapping to subfolder locale files such as public/locales/en/a/b.json) load correctly again. 2.6.4's security fix applied the same strict pat...

    Description has been truncated

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label May 6, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 6, 2026 21:39
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label May 6, 2026
@dependabot dependabot Bot changed the title chore(deps): bump the rest group with 26 updates chore(deps): bump the rest group across 1 directory with 26 updates May 21, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/rest-fbd2cb1bd9 branch from 7a49e5d to 7424066 Compare May 21, 2026 04:58
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/rest-fbd2cb1bd9 branch 2 times, most recently from fcdc837 to 1de2383 Compare June 4, 2026 04:56
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/rest-fbd2cb1bd9 branch from 1de2383 to 740d1fd Compare June 11, 2026 04:56
@socket-security

socket-security Bot commented Jun 11, 2026

Copy link
Copy Markdown

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/rest-fbd2cb1bd9 branch from 740d1fd to 9446072 Compare June 18, 2026 04:56
Bumps the rest group with 26 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [countly-sdk-nodejs](https://github.com/Countly/countly-sdk-nodejs) | `20.11.0` | `24.10.4` |
| [electron-serve](https://github.com/sindresorhus/electron-serve) | `1.1.0` | `3.0.1` |
| [electron-store](https://github.com/sindresorhus/electron-store) | `8.1.0` | `11.0.2` |
| [fix-path](https://github.com/sindresorhus/fix-path) | `3.0.0` | `5.0.0` |
| [fs-extra](https://github.com/jprichardson/node-fs-extra) | `10.1.0` | `11.3.6` |
| [i18next](https://github.com/i18next/i18next) | `21.8.14` | `26.3.5` |
| [i18next-fs-backend](https://github.com/i18next/i18next-fs-backend) | `1.1.4` | `2.6.6` |
| [i18next-icu](https://github.com/i18next/i18next-icu) | `2.0.3` | `2.4.4` |
| [intl-messageformat](https://github.com/formatjs/formatjs) | `9.13.0` | `11.2.10` |
| [ipfs-http-client](https://github.com/ipfs/js-ipfs) | `56.0.2` | `60.0.1` |
| [ipfsd-ctl](https://github.com/ipfs/js-ipfsd-ctl) | `10.0.6` | `17.0.0` |
| [it-last](https://github.com/achingbrain/it) | `1.0.6` | `3.0.11` |
| [portfinder](https://github.com/http-party/node-portfinder) | `1.0.32` | `1.0.38` |
| [untildify](https://github.com/sindresorhus/untildify) | `4.0.0` | `6.0.0` |
| [winston](https://github.com/winstonjs/winston) | `3.7.2` | `3.19.0` |
| [@electron/notarize](https://github.com/electron/notarize) | `1.2.3` | `3.1.1` |
| [@ipfs-shipyard/release-please-ipfs-plugin](https://github.com/ipfs-shipyard/release-please-ipfs-plugin) | `1.0.1` | `1.1.0` |
| [dotenv](https://github.com/motdotla/dotenv) | `16.4.5` | `17.4.2` |
| [got](https://github.com/sindresorhus/got) | `12.1.0` | `15.1.0` |
| [patch-package](https://github.com/ds300/patch-package) | `6.5.1` | `8.0.1` |
| [pre-commit](https://github.com/observing/pre-commit) | `1.2.2` | `2.0.0` |
| [semver-regex](https://github.com/sindresorhus/semver-regex) | `3.1.4` | `4.0.5` |
| [shx](https://github.com/shelljs/shx) | `0.3.4` | `0.4.0` |
| [standard](https://github.com/standard/standard) | `16.0.4` | `17.1.2` |
| [tmp](https://github.com/raszi/node-tmp) | `0.2.3` | `0.2.7` |
| [ts-standard](https://github.com/standard/ts-standard) | `11.0.0` | `12.0.2` |



Updates `countly-sdk-nodejs` from 20.11.0 to 24.10.4
- [Release notes](https://github.com/Countly/countly-sdk-nodejs/releases)
- [Changelog](https://github.com/Countly/countly-sdk-nodejs/blob/master/CHANGELOG.md)
- [Commits](Countly/countly-sdk-nodejs@20.11...24.10.4)

Updates `electron-serve` from 1.1.0 to 3.0.1
- [Release notes](https://github.com/sindresorhus/electron-serve/releases)
- [Commits](sindresorhus/electron-serve@v1.1.0...v3.0.1)

Updates `electron-store` from 8.1.0 to 11.0.2
- [Release notes](https://github.com/sindresorhus/electron-store/releases)
- [Commits](sindresorhus/electron-store@v8.1.0...v11.0.2)

Updates `fix-path` from 3.0.0 to 5.0.0
- [Release notes](https://github.com/sindresorhus/fix-path/releases)
- [Commits](sindresorhus/fix-path@v3.0.0...v5.0.0)

Updates `fs-extra` from 10.1.0 to 11.3.6
- [Changelog](https://github.com/jprichardson/node-fs-extra/blob/master/CHANGELOG.md)
- [Commits](jprichardson/node-fs-extra@10.1.0...11.3.6)

Updates `i18next` from 21.8.14 to 26.3.5
- [Release notes](https://github.com/i18next/i18next/releases)
- [Changelog](https://github.com/i18next/i18next/blob/master/CHANGELOG.md)
- [Commits](i18next/i18next@v21.8.14...v26.3.5)

Updates `i18next-fs-backend` from 1.1.4 to 2.6.6
- [Changelog](https://github.com/i18next/i18next-fs-backend/blob/master/CHANGELOG.md)
- [Commits](i18next/i18next-fs-backend@v1.1.4...v2.6.6)

Updates `i18next-icu` from 2.0.3 to 2.4.4
- [Changelog](https://github.com/i18next/i18next-icu/blob/master/CHANGELOG.md)
- [Commits](i18next/i18next-icu@v2.0.3...v2.4.4)

Updates `intl-messageformat` from 9.13.0 to 11.2.10
- [Release notes](https://github.com/formatjs/formatjs/releases)
- [Commits](https://github.com/formatjs/formatjs/compare/intl-messageformat@9.13.0...intl-messageformat@11.2.10)

Updates `ipfs-http-client` from 56.0.2 to 60.0.1
- [Release notes](https://github.com/ipfs/js-ipfs/releases)
- [Changelog](https://github.com/ipfs/js-ipfs/blob/master/CHANGELOG.md)
- [Commits](ipfs/js-ipfs@ipfs-http-client-v56.0.2...ipfs-http-client-v60.0.1)

Updates `ipfsd-ctl` from 10.0.6 to 17.0.0
- [Release notes](https://github.com/ipfs/js-ipfsd-ctl/releases)
- [Changelog](https://github.com/ipfs/js-ipfsd-ctl/blob/main/CHANGELOG.md)
- [Commits](ipfs/js-ipfsd-ctl@v10.0.6...v17.0.0)

Updates `it-last` from 1.0.6 to 3.0.11
- [Release notes](https://github.com/achingbrain/it/releases)
- [Commits](https://github.com/achingbrain/it/compare/it-last@1.0.6...it-last-3.0.11)

Updates `portfinder` from 1.0.32 to 1.0.38
- [Release notes](https://github.com/http-party/node-portfinder/releases)
- [Commits](http-party/node-portfinder@v1.0.32...v1.0.38)

Updates `untildify` from 4.0.0 to 6.0.0
- [Release notes](https://github.com/sindresorhus/untildify/releases)
- [Commits](sindresorhus/untildify@v4.0.0...v6.0.0)

Updates `winston` from 3.7.2 to 3.19.0
- [Release notes](https://github.com/winstonjs/winston/releases)
- [Changelog](https://github.com/winstonjs/winston/blob/master/CHANGELOG.md)
- [Commits](winstonjs/winston@v3.7.2...v3.19.0)

Updates `@electron/notarize` from 1.2.3 to 3.1.1
- [Release notes](https://github.com/electron/notarize/releases)
- [Commits](electron/notarize@v1.2.3...v3.1.1)

Updates `@ipfs-shipyard/release-please-ipfs-plugin` from 1.0.1 to 1.1.0
- [Release notes](https://github.com/ipfs-shipyard/release-please-ipfs-plugin/releases)
- [Changelog](https://github.com/ipfs-shipyard/release-please-ipfs-plugin/blob/main/CHANGELOG.md)
- [Commits](ipfs-shipyard/release-please-ipfs-plugin@v1.0.1...v1.1.0)

Updates `dotenv` from 16.4.5 to 17.4.2
- [Changelog](https://github.com/motdotla/dotenv/blob/master/CHANGELOG.md)
- [Commits](motdotla/dotenv@v16.4.5...v17.4.2)

Updates `got` from 12.1.0 to 15.1.0
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](sindresorhus/got@v12.1.0...v15.1.0)

Updates `patch-package` from 6.5.1 to 8.0.1
- [Release notes](https://github.com/ds300/patch-package/releases)
- [Changelog](https://github.com/ds300/patch-package/blob/master/CHANGELOG.md)
- [Commits](https://github.com/ds300/patch-package/commits)

Updates `pre-commit` from 1.2.2 to 2.0.0
- [Release notes](https://github.com/observing/pre-commit/releases)
- [Changelog](https://github.com/observing/pre-commit/blob/master/CHANGELOG.md)
- [Commits](https://github.com/observing/pre-commit/commits)

Updates `semver-regex` from 3.1.4 to 4.0.5
- [Release notes](https://github.com/sindresorhus/semver-regex/releases)
- [Commits](sindresorhus/semver-regex@v3.1.4...v4.0.5)

Updates `shx` from 0.3.4 to 0.4.0
- [Release notes](https://github.com/shelljs/shx/releases)
- [Changelog](https://github.com/shelljs/shx/blob/main/CHANGELOG.md)
- [Commits](shelljs/shx@v0.3.4...v0.4.0)

Updates `standard` from 16.0.4 to 17.1.2
- [Release notes](https://github.com/standard/standard/releases)
- [Changelog](https://github.com/standard/standard/blob/master/CHANGELOG.md)
- [Commits](standard/standard@v16.0.4...v17.1.2)

Updates `tmp` from 0.2.3 to 0.2.7
- [Changelog](https://github.com/raszi/node-tmp/blob/master/CHANGELOG.md)
- [Commits](raszi/node-tmp@v0.2.3...v0.2.7)

Updates `ts-standard` from 11.0.0 to 12.0.2
- [Changelog](https://github.com/standard/ts-standard/blob/master/CHANGELOG.md)
- [Commits](standard/ts-standard@11.0.0...v12.0.2)

---
updated-dependencies:
- dependency-name: "@electron/notarize"
  dependency-version: 3.1.1
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: rest
- dependency-name: "@ipfs-shipyard/release-please-ipfs-plugin"
  dependency-version: 1.1.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: rest
- dependency-name: countly-sdk-nodejs
  dependency-version: 24.10.3
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: rest
- dependency-name: dotenv
  dependency-version: 17.4.2
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: rest
- dependency-name: electron-serve
  dependency-version: 3.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: rest
- dependency-name: electron-store
  dependency-version: 11.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: rest
- dependency-name: fix-path
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: rest
- dependency-name: fs-extra
  dependency-version: 11.3.5
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: rest
- dependency-name: got
  dependency-version: 15.0.5
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: rest
- dependency-name: i18next
  dependency-version: 26.0.9
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: rest
- dependency-name: i18next-fs-backend
  dependency-version: 2.6.5
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: rest
- dependency-name: i18next-icu
  dependency-version: 2.4.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: rest
- dependency-name: intl-messageformat
  dependency-version: 11.2.4
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: rest
- dependency-name: ipfs-http-client
  dependency-version: 60.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: rest
- dependency-name: ipfsd-ctl
  dependency-version: 16.0.3
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: rest
- dependency-name: it-last
  dependency-version: 3.0.11
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: rest
- dependency-name: patch-package
  dependency-version: 8.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: rest
- dependency-name: portfinder
  dependency-version: 1.0.38
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: rest
- dependency-name: pre-commit
  dependency-version: 2.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: rest
- dependency-name: semver-regex
  dependency-version: 4.0.5
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: rest
- dependency-name: shx
  dependency-version: 0.4.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: rest
- dependency-name: standard
  dependency-version: 17.1.2
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: rest
- dependency-name: tmp
  dependency-version: 0.2.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: rest
- dependency-name: ts-standard
  dependency-version: 12.0.2
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: rest
- dependency-name: untildify
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: rest
- dependency-name: winston
  dependency-version: 3.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: rest
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/rest-fbd2cb1bd9 branch from 9446072 to e269f36 Compare July 9, 2026 04:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants