Bumps [i18next](https://github.com/i18next/i18next) from 26.1.0 to
26.2.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/i18next/i18next/releases">i18next's
releases</a>.</em></p>
<blockquote>
<h2>v26.2.0</h2>
<ul>
<li>feat(types): new <code>parseInterpolation</code> TypeOption (default
<code>true</code>). When set to <code>false</code> in
<code>CustomTypeOptions</code>, the type-level extractor stops parsing
translation strings for <code>{{variable}}</code> patterns. Required by
<code>i18next-icu</code> users — the default extractor mistakes ICU
MessageFormat nested-brace plurals like <code>{count, plural, one
{{count} row} other {{count} rows}}</code> for an interpolation block
and demands a phantom variable name. The flag is type-only; runtime
interpolation is governed by <code>InterpolationOptions</code> and is
unaffected. Fixes <a
href="https://redirect.github.com/i18next/i18next-icu/issues/85">i18next-icu#85</a>.</li>
<li>fix(types): expose <code>enableSelector</code> on
<code>InitOptions</code> so <code>i18next.init({ enableSelector:
'strict' })</code> typechecks without a module augmentation. The runtime
already reads <code>opts?.enableSelector</code> from init options; this
lands the matching type declaration next to the other
selector-resolution knobs. Accepts <code>false | true | 'optimize' |
'strict'</code>. Thanks <a
href="https://github.com/Faithfinder"><code>@Faithfinder</code></a> (<a
href="https://redirect.github.com/i18next/i18next/pull/2431">#2431</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/i18next/i18next/blob/master/CHANGELOG.md">i18next's
changelog</a>.</em></p>
<blockquote>
<h2>26.2.0</h2>
<ul>
<li>feat(types): new <code>parseInterpolation</code> TypeOption (default
<code>true</code>). When set to <code>false</code> in
<code>CustomTypeOptions</code>, the type-level extractor stops parsing
translation strings for <code>{{variable}}</code> patterns. Required by
<code>i18next-icu</code> users — the default extractor mistakes ICU
MessageFormat nested-brace plurals like <code>{count, plural, one
{{count} row} other {{count} rows}}</code> for an interpolation block
and demands a phantom variable name. The flag is type-only; runtime
interpolation is governed by <code>InterpolationOptions</code> and is
unaffected. Fixes <a
href="https://redirect.github.com/i18next/i18next-icu/issues/85">i18next-icu#85</a>.</li>
<li>fix(types): expose <code>enableSelector</code> on
<code>InitOptions</code> so <code>i18next.init({ enableSelector:
'strict' })</code> typechecks without a module augmentation. The runtime
already reads <code>opts?.enableSelector</code> from init options; this
lands the matching type declaration next to the other
selector-resolution knobs. Accepts <code>false | true | 'optimize' |
'strict'</code>. Thanks <a
href="https://github.com/Faithfinder"><code>@Faithfinder</code></a> (<a
href="https://redirect.github.com/i18next/i18next/pull/2431">#2431</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="22fb6ad013"><code>22fb6ad</code></a>
26.2.0</li>
<li><a
href="b640ac41ac"><code>b640ac4</code></a>
feat(types): parseInterpolation flag for ICU-friendly t() typing
(i18next-icu...</li>
<li><a
href="0b9debd0f7"><code>0b9debd</code></a>
changelog: 26.1.1 entry for <a
href="https://redirect.github.com/i18next/i18next/issues/2431">#2431</a></li>
<li><a
href="50509e4c91"><code>50509e4</code></a>
fix(types): expose enableSelector on InitOptions (<a
href="https://redirect.github.com/i18next/i18next/issues/2431">#2431</a>)</li>
<li><a
href="80b540291c"><code>80b5402</code></a>
Enhance Pro Tip in README with i18next-locize-backend plugin link</li>
<li>See full diff in <a
href="https://github.com/i18next/i18next/compare/v26.1.0...v26.2.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [@codemirror/view](https://github.com/codemirror/view) from 6.42.1
to 6.43.0.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/codemirror/view/commits">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [i18next](https://github.com/i18next/i18next) from 26.0.10 to
26.1.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/i18next/i18next/releases">i18next's
releases</a>.</em></p>
<blockquote>
<h2>v26.1.0</h2>
<ul>
<li>feat: <code>enableSelector: 'strict'</code> (TypeOptions + runtime
option). Opt-in mode that drops the flattened-primary form from
<code>NsResource</code> at the type level — every namespace (primary
included) is exposed only under its own key on <code>$</code>, uniformly
across single- and multi-ns hooks. At runtime, a leading selector path
segment matching the scope's namespace list is always rewritten as a
namespace prefix, including the primary. Eliminates the silent-miss
surface area where <code>t($ => $.primary.foo)</code> typechecks but
doesn't resolve under the default mode (see <a
href="https://redirect.github.com/i18next/i18next/issues/2429">#2429</a>).
Backward-compatible: default <code>enableSelector: false | true |
'optimize'</code> behavior is unchanged. Note: strict mode is
incompatible with the <a
href="https://redirect.github.com/i18next/i18next/issues/2405">#2405</a>
pattern (keys whose names match sibling namespaces) — those users should
stay on default mode.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/i18next/i18next/blob/master/CHANGELOG.md">i18next's
changelog</a>.</em></p>
<blockquote>
<h2>26.1.0</h2>
<ul>
<li>feat: <code>enableSelector: 'strict'</code> (TypeOptions + runtime
option). Opt-in mode that drops the flattened-primary form from
<code>NsResource</code> at the type level — every namespace (primary
included) is exposed only under its own key on <code>$</code>, uniformly
across single- and multi-ns hooks. At runtime, a leading selector path
segment matching the scope's namespace list is always rewritten as a
namespace prefix, including the primary. Eliminates the silent-miss
surface area where <code>t($ => $.primary.foo)</code> typechecks but
doesn't resolve under the default mode (see <a
href="https://redirect.github.com/i18next/i18next/issues/2429">#2429</a>).
Backward-compatible: default <code>enableSelector: false | true |
'optimize'</code> behavior is unchanged. Note: strict mode is
incompatible with the <a
href="https://redirect.github.com/i18next/i18next/issues/2405">#2405</a>
pattern (keys whose names match sibling namespaces) — those users should
stay on default mode.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="5af047552b"><code>5af0475</code></a>
26.1.0</li>
<li><a
href="85c0951550"><code>85c0951</code></a>
feat: enableSelector: 'strict' — explicit-ns selector mode, no flattened
prim...</li>
<li><a
href="8fec684b4e"><code>8fec684</code></a>
docs(types): clarify ExistsFunction note re: narrowing through
wrappers</li>
<li>See full diff in <a
href="https://github.com/i18next/i18next/compare/v26.0.10...v26.1.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
[//]: # (dependabot-start)
⚠️ **Dependabot is rebasing this PR** ⚠️
Rebasing might not happen immediately, so don't worry if this takes some
time.
Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.
---
[//]: # (dependabot-end)
Bumps [i18next](https://github.com/i18next/i18next) from 26.0.8 to
26.0.10.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/i18next/i18next/releases">i18next's
releases</a>.</em></p>
<blockquote>
<h2>v26.0.10</h2>
<ul>
<li>feat: <code>getFixedT</code> accepts a fourth optional
<code>fixedOpts</code> argument carrying <code>scopeNs</code> — the full
namespace list the bound <code>t</code> was created for. The selector
API uses <code>scopeNs</code> to detect when a path's first segment is a
namespace prefix, <strong>without</strong> changing resolution scope.
Resolution still uses the bound <code>ns</code> (a single primary string
in the typical react-i18next setup), so plain <code>t('key')</code>
lookups stay isolated to the primary namespace exactly as before — only
<code>t($ => $.secondaryNs.foo)</code> selectors now route correctly
under <code>useTranslation([nsA, nsB])</code>. Fixes the runtime side of
<a
href="https://redirect.github.com/i18next/i18next/issues/2429">#2429</a>
for the <code>react-i18next</code> default-<code>nsMode</code> case. The
4th argument is opt-in: existing 3-arg <code>getFixedT(lng, ns,
keyPrefix)</code> callers see no behavior change.</li>
</ul>
<h2>v26.0.9</h2>
<ul>
<li>fix(types): unformatted interpolation values are now typed as
<code>string | number</code> (was <code>string</code>). i18next
stringifies values at runtime, so requiring callers to wrap numbers in
<code>String(...)</code> for plain <code>{{var}}</code> placeholders was
unnecessary friction — and could mask the real problem when a non-string
value was passed alongside multiple interpolation slots (the
<code>t()</code> overload resolution would fall through to the 3-arg
form and report a confusing "not assignable to string" error
against the options object). Typed format specifiers like <code>{{x,
number}}</code>, <code>{{x, currency}}</code>, <code>{{x,
datetime}}</code>, etc. keep their precise types; this only relaxes the
no-format default. The <code>count</code> variable remains
<code>number</code>-only</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/i18next/i18next/blob/master/CHANGELOG.md">i18next's
changelog</a>.</em></p>
<blockquote>
<h2>26.0.10</h2>
<ul>
<li>feat: <code>getFixedT</code> accepts a fourth optional
<code>fixedOpts</code> argument carrying <code>scopeNs</code> — the full
namespace list the bound <code>t</code> was created for. The selector
API uses <code>scopeNs</code> to detect when a path's first segment is a
namespace prefix, <strong>without</strong> changing resolution scope.
Resolution still uses the bound <code>ns</code> (a single primary string
in the typical react-i18next setup), so plain <code>t('key')</code>
lookups stay isolated to the primary namespace exactly as before — only
<code>t($ => $.secondaryNs.foo)</code> selectors now route correctly
under <code>useTranslation([nsA, nsB])</code>. Fixes the runtime side of
<a
href="https://redirect.github.com/i18next/i18next/issues/2429">#2429</a>
for the <code>react-i18next</code> default-<code>nsMode</code> case. The
4th argument is opt-in: existing 3-arg <code>getFixedT(lng, ns,
keyPrefix)</code> callers see no behavior change.</li>
</ul>
<h2>26.0.9</h2>
<ul>
<li>fix(types): unformatted interpolation values are now typed as
<code>string | number</code> (was <code>string</code>). i18next
stringifies values at runtime, so requiring callers to wrap numbers in
<code>String(...)</code> for plain <code>{{var}}</code> placeholders was
unnecessary friction — and could mask the real problem when a non-string
value was passed alongside multiple interpolation slots (the
<code>t()</code> overload resolution would fall through to the 3-arg
form and report a confusing "not assignable to string" error
against the options object). Typed format specifiers like <code>{{x,
number}}</code>, <code>{{x, currency}}</code>, <code>{{x,
datetime}}</code>, etc. keep their precise types; this only relaxes the
no-format default. The <code>count</code> variable remains
<code>number</code>-only</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="61eaf5be10"><code>61eaf5b</code></a>
26.0.10</li>
<li><a
href="47fd92f8aa"><code>47fd92f</code></a>
feat: getFixedT 4th-arg scopeNs decouples selector ns-detection from
resoluti...</li>
<li><a
href="caf33f6196"><code>caf33f6</code></a>
26.0.9</li>
<li><a
href="eed0146d95"><code>eed0146</code></a>
fix(types): relax unformatted interpolation values to <code>string |
number</code></li>
<li><a
href="170fb0a9e4"><code>170fb0a</code></a>
Modernize locize.com URLs and refresh UTM tags</li>
<li>See full diff in <a
href="https://github.com/i18next/i18next/compare/v26.0.8...v26.0.10">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [react-i18next](https://github.com/i18next/react-i18next) from
17.0.6 to 17.0.7.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/i18next/react-i18next/blob/master/CHANGELOG.md">react-i18next's
changelog</a>.</em></p>
<blockquote>
<h2>17.0.7</h2>
<ul>
<li>feat: <code>useTranslation([nsA, nsB, ...])</code> now passes its
full namespace list to <code>getFixedT</code> via the new
<code>scopeNs</code> opt (requires <code>i18next</code> ≥ v26.0.10).
This makes selector calls with a secondary-namespace prefix resolve
correctly under default <code>nsMode</code>: <code>t($ =>
$.nsB.foo)</code> previously missed silently because the bound
<code>ns</code> was the primary string only and i18next's selector
rewrite needed an array. Resolution semantics are unchanged — plain
<code>t('key')</code> lookups still stay isolated to the primary
namespace by default; use <code>nsMode: 'fallback'</code> to opt into
multi-ns fallback resolution as before. Fixes <a
href="https://redirect.github.com/i18next/i18next/issues/2429">i18next#2429</a>
for <code>useTranslation</code>-based callers.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="5e892a27a7"><code>5e892a2</code></a>
17.0.7</li>
<li><a
href="c8f4c6b564"><code>c8f4c6b</code></a>
feat: useTranslation([nsA,nsB]) routes selector secondary-ns prefix via
getFi...</li>
<li><a
href="084f9a650b"><code>084f9a6</code></a>
Modernize locize.com URLs and refresh UTM tags</li>
<li>See full diff in <a
href="https://github.com/i18next/react-i18next/compare/v17.0.6...v17.0.7">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
[//]: # (dependabot-start)
⚠️ **Dependabot is rebasing this PR** ⚠️
Rebasing might not happen immediately, so don't worry if this takes some
time.
Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.
---
[//]: # (dependabot-end)
Bumps [@codemirror/view](https://github.com/codemirror/view) from 6.41.1
to 6.42.1.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/codemirror/view/commits">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [@codemirror/lint](https://github.com/codemirror/lint) from 6.9.5
to 6.9.6.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/codemirror/lint/commits">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [postcss](https://github.com/postcss/postcss) from 8.5.13 to
8.5.14.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/postcss/postcss/releases">postcss's
releases</a>.</em></p>
<blockquote>
<h2>8.5.14</h2>
<ul>
<li>Fixed custom syntax regression (by <a
href="https://github.com/43081j"><code>@43081j</code></a>).</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/postcss/postcss/blob/main/CHANGELOG.md">postcss's
changelog</a>.</em></p>
<blockquote>
<h2>8.5.14</h2>
<ul>
<li>Fixed custom syntax regression (by <a
href="https://github.com/43081j"><code>@43081j</code></a>).</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="3ec13948ae"><code>3ec1394</code></a>
Release 8.5.14 version</li>
<li><a
href="f2bb827b20"><code>f2bb827</code></a>
Update dependencies</li>
<li><a
href="d75953d608"><code>d75953d</code></a>
Merge pull request <a
href="https://redirect.github.com/postcss/postcss/issues/2084">#2084</a>
from 43081j/raw-raws-rawing</li>
<li><a
href="68bd2139b5"><code>68bd213</code></a>
fix: always call <code>raw</code> to retrieve raw values</li>
<li>See full diff in <a
href="https://github.com/postcss/postcss/compare/8.5.13...8.5.14">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [postcss](https://github.com/postcss/postcss) from 8.5.12 to
8.5.13.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/postcss/postcss/releases">postcss's
releases</a>.</em></p>
<blockquote>
<h2>8.5.13</h2>
<ul>
<li>Fixed <code>postcss-scss</code> commend regression.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/postcss/postcss/blob/main/CHANGELOG.md">postcss's
changelog</a>.</em></p>
<blockquote>
<h2>8.5.13</h2>
<ul>
<li>Fixed <code>postcss-scss</code> commend regression.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="af58cf1b7a"><code>af58cf1</code></a>
Release 8.5.13 version</li>
<li><a
href="f227dbd0e9"><code>f227dbd</code></a>
Temporary ignore pnpm 11 config</li>
<li><a
href="d3abd40d72"><code>d3abd40</code></a>
Update dependencies</li>
<li><a
href="dd06c3e113"><code>dd06c3e</code></a>
Revert stringifier changes because of the conflict with
postcss-scss</li>
<li><a
href="ae889c815f"><code>ae889c8</code></a>
Try to fix CI</li>
<li><a
href="e0093e49bc"><code>e0093e4</code></a>
Move to pnpm 11</li>
<li>See full diff in <a
href="https://github.com/postcss/postcss/compare/8.5.12...8.5.13">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [react-i18next](https://github.com/i18next/react-i18next) from
17.0.4 to 17.0.6.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/i18next/react-i18next/blob/master/CHANGELOG.md">react-i18next's
changelog</a>.</em></p>
<blockquote>
<h2>17.0.6</h2>
<ul>
<li>fix: restore the v17 <code>nodesToString</code> output format
consumed by <code>i18next-cli</code>'s extractor while still rendering
<a
href="https://redirect.github.com/i18next/react-i18next/issues/1919">1919</a>
correctly
<ul>
<li>17.0.5 fixed <a
href="https://redirect.github.com/i18next/react-i18next/issues/1919">1919</a>
by changing what <code>nodesToString</code> produced, which
inadvertently changed the extracted translation strings for keep-tags
wrapping non-keep React elements</li>
<li>The fix now lives in the renderer: indexed <code><N></code>
placeholders nested inside a keep-tag are scoped to that tag's own
original React children (matching kept tags by name and positional
occurrence at each level), so the translation string format produced by
<code>nodesToString</code> is unchanged</li>
</ul>
</li>
</ul>
<h2>17.0.5</h2>
<ul>
<li>fix: <code><Trans /></code> no longer breaks child rendering
when a kept HTML node (<code>transKeepBasicHtmlNodesFor</code>) wraps a
non-keep React element <a
href="https://redirect.github.com/i18next/react-i18next/issues/1919">1919</a>
— superseded by 17.0.6, which keeps the same runtime fix without
changing the <code>nodesToString</code> output</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="cb20d1886b"><code>cb20d18</code></a>
17.0.6</li>
<li><a
href="b8ad5e4afd"><code>b8ad5e4</code></a>
fix: scope indexed placeholders inside keep-tags at render time <a
href="https://redirect.github.com/i18next/react-i18next/issues/1919">#1919</a></li>
<li><a
href="75ce985016"><code>75ce985</code></a>
17.0.5</li>
<li><a
href="9803bb8005"><code>9803bb8</code></a>
fix: <Trans /> no longer breaks child rendering when a kept HTML
node (transK...</li>
<li><a
href="ec37a48d76"><code>ec37a48</code></a>
chore: ignore .env*, *.pem, *.key in .gitignore</li>
<li>See full diff in <a
href="https://github.com/i18next/react-i18next/compare/v17.0.4...v17.0.6">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
[//]: # (dependabot-start)
⚠️ **Dependabot is rebasing this PR** ⚠️
Rebasing might not happen immediately, so don't worry if this takes some
time.
Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.
---
[//]: # (dependabot-end)
Bumps [postcss](https://github.com/postcss/postcss) from 8.5.11 to
8.5.12.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/postcss/postcss/releases">postcss's
releases</a>.</em></p>
<blockquote>
<h2>8.5.12</h2>
<ul>
<li>Fixed reading any file via user-generated CSS.</li>
<li>Added <code>opts.unsafeMap</code> to disable checks.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/postcss/postcss/blob/main/CHANGELOG.md">postcss's
changelog</a>.</em></p>
<blockquote>
<h2>8.5.12</h2>
<ul>
<li>Fixed reading any file via user-generated CSS.</li>
<li>Added <code>opts.unsafeMap</code> to disable checks.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="9bc81c48f0"><code>9bc81c4</code></a>
Release 8.5.12 version</li>
<li><a
href="85c4d7dab8"><code>85c4d7d</code></a>
Another try to fix coverage</li>
<li><a
href="94484cae6d"><code>94484ca</code></a>
Try to fix coverage</li>
<li><a
href="c64b7488d2"><code>c64b748</code></a>
Load only .map source maps</li>
<li><a
href="aaec7b78b3"><code>aaec7b7</code></a>
Avoid throwing JSON parsing errors for non-JSON source maps</li>
<li><a
href="233fb264ea"><code>233fb26</code></a>
Mention original author of the solution</li>
<li>See full diff in <a
href="https://github.com/postcss/postcss/compare/8.5.11...8.5.12">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [postcss](https://github.com/postcss/postcss) from 8.5.10 to
8.5.11.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/postcss/postcss/releases">postcss's
releases</a>.</em></p>
<blockquote>
<h2>8.5.11</h2>
<ul>
<li>Fixed nested brackets parsing performance (by <a
href="https://github.com/offset"><code>@offset</code></a>).</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/postcss/postcss/blob/main/CHANGELOG.md">postcss's
changelog</a>.</em></p>
<blockquote>
<h2>8.5.11</h2>
<ul>
<li>Fixed nested brackets parsing performance (by <a
href="https://github.com/offset"><code>@offset</code></a>).</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="2502f75030"><code>2502f75</code></a>
Release 8.5.11 version</li>
<li><a
href="5ca1901949"><code>5ca1901</code></a>
Speed up parsing many nested brackets</li>
<li><a
href="42b5337dd7"><code>42b5337</code></a>
Update dependencies</li>
<li><a
href="7e36e153d0"><code>7e36e15</code></a>
Cache node.raws locally in Stringifier hot methods</li>
<li><a
href="8ec62b157b"><code>8ec62b1</code></a>
Bypass MapGenerator for no-source-map stringify in LazyResult</li>
<li>See full diff in <a
href="https://github.com/postcss/postcss/compare/8.5.10...8.5.11">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [i18next](https://github.com/i18next/i18next) from 26.0.7 to
26.0.8.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/i18next/i18next/releases">i18next's
releases</a>.</em></p>
<blockquote>
<h2>v26.0.8</h2>
<ul>
<li>fix(types): restore the pre-v25.10.4 <code>ExistsFunction</code>
shape so plain arrow functions can again be assigned to
<code>ExistsFunction</code>-typed variables (TypeScript cannot infer
type predicates through multi-overload assignment). Direct
<code>i18next.exists(key)</code> calls still narrow <code>key</code> to
<code>SelectorKey</code> — the predicate is now declared inline on
<code>i18n.exists</code>. Custom wrappers that want the narrowing can
type themselves as <code>typeof i18next.exists</code> <a
href="https://redirect.github.com/i18next/i18next/issues/2425">2425</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/i18next/i18next/blob/master/CHANGELOG.md">i18next's
changelog</a>.</em></p>
<blockquote>
<h2>26.0.8</h2>
<ul>
<li>fix(types): restore the pre-v25.10.4 <code>ExistsFunction</code>
shape so plain arrow functions can again be assigned to
<code>ExistsFunction</code>-typed variables (TypeScript cannot infer
type predicates through multi-overload assignment). Direct
<code>i18next.exists(key)</code> calls still narrow <code>key</code> to
<code>SelectorKey</code> — the predicate is now declared inline on
<code>i18n.exists</code>. Custom wrappers that want the narrowing can
type themselves as <code>typeof i18next.exists</code> <a
href="https://redirect.github.com/i18next/i18next/issues/2425">2425</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="3ea438f841"><code>3ea438f</code></a>
26.0.8</li>
<li><a
href="5176bbd7a1"><code>5176bbd</code></a>
retry version bump</li>
<li><a
href="10b48c6193"><code>10b48c6</code></a>
26.0.8</li>
<li><a
href="9fdd99a919"><code>9fdd99a</code></a>
retry version bump</li>
<li><a
href="9ee7da174d"><code>9ee7da1</code></a>
changelog</li>
<li><a
href="8ce5e268de"><code>8ce5e26</code></a>
26.0.8</li>
<li><a
href="e802567c9c"><code>e802567</code></a>
fix(types): restore <code>ExistsFunction</code> shape to keep
arrow-function wrappers as...</li>
<li>See full diff in <a
href="https://github.com/i18next/i18next/compare/v26.0.7...v26.0.8">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [i18next](https://github.com/i18next/i18next) from 26.0.6 to
26.0.7.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/i18next/i18next/blob/master/CHANGELOG.md">i18next's
changelog</a>.</em></p>
<blockquote>
<h2>26.0.7</h2>
<ul>
<li>fix: when a plural lookup misses, the <code>missingKey</code> debug
log now shows the actual plural-resolved key (e.g.
<code>foo.bar_many</code> for Polish <code>count: 14</code>) instead of
the base key — making it obvious which plural category was expected and
missing <a
href="https://redirect.github.com/i18next/i18next/issues/2423">2423</a></li>
<li>chore: drop <code>@babel/runtime</code> runtime dependency. The
build no longer generates any <code>@babel/runtime</code> imports, so
the package is unused by consumers. Rollup now uses <code>babelHelpers:
'bundled'</code> so any helpers that are ever needed in the future will
be inlined rather than imported externally <a
href="https://redirect.github.com/i18next/i18next/issues/2424">2424</a></li>
<li>chore: stop emitting <code>dist/esm/i18next.bundled.js</code>. It
was byte-identical to <code>dist/esm/i18next.js</code> because no
helpers were being imported <a
href="https://redirect.github.com/i18next/i18next/issues/2424">2424</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="ce06fba2a5"><code>ce06fba</code></a>
26.0.7</li>
<li><a
href="ca33377537"><code>ca33377</code></a>
chore: drop unused <code>@babel/runtime</code> dep and redundant
bundled ESM output</li>
<li><a
href="8abe4e66ce"><code>8abe4e6</code></a>
fix: show resolved plural key in missingKey debug log</li>
<li><a
href="073eb1068a"><code>073eb10</code></a>
ts tests fix</li>
<li><a
href="a3dfb180d8"><code>a3dfb18</code></a>
security tests</li>
<li>See full diff in <a
href="https://github.com/i18next/i18next/compare/v26.0.6...v26.0.7">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [i18next](https://github.com/i18next/i18next) from 26.0.5 to
26.0.6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/i18next/i18next/releases">i18next's
releases</a>.</em></p>
<blockquote>
<h2>v26.0.6</h2>
<p>Security release — all issues found via an internal audit. GHSA
advisory filed after release.</p>
<ul>
<li>security: warn when a translation string combines <code>escapeValue:
false</code> with interpolated variables inside a <code>$t(key, { ...
"{{var}}" ... })</code> nesting-options block. In that narrow
combination, attacker-controlled string values containing
<code>"</code> can break out of the JSON options literal and inject
additional nesting options (e.g. redirect
<code>lng</code>/<code>ns</code>). The default <code>escapeValue:
true</code> configuration is unaffected because HTML-escaping
neutralises the quote before <code>JSON.parse</code>. See the security
docs for mitigation guidance (GHSA-TBD)</li>
<li>security: apply <code>regexEscape</code> to
<code>unescapePrefix</code> / <code>unescapeSuffix</code> on par with
the other interpolation delimiters. Prevents ReDoS
(catastrophic-backtracking) when a misconfigured delimiter contains
regex metacharacters, and fixes silent breakage of the <code>{{-
var}}</code> syntax when the delimiter contains characters like
<code>(</code>, <code>[</code>, <code>.</code></li>
<li>security: strip CR/LF/NUL and other C0/C1 control characters from
string log arguments to prevent log forging via user-controlled
translation keys, language codes, namespaces, or interpolation variable
names (CWE-117)</li>
<li>chore: ignore <code>.env*</code> and
<code>*.pem</code>/<code>*.key</code> files in
<code>.gitignore</code></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/i18next/i18next/blob/master/CHANGELOG.md">i18next's
changelog</a>.</em></p>
<blockquote>
<h2>26.0.6</h2>
<p>Security release — all issues found via an internal audit.</p>
<ul>
<li>security: warn when a translation string combines <code>escapeValue:
false</code> with interpolated variables inside a <code>$t(key, { ...
"{{var}}" ... })</code> nesting-options block. In that narrow
combination, attacker-controlled string values containing
<code>"</code> can break out of the JSON options literal and inject
additional nesting options (e.g. redirect
<code>lng</code>/<code>ns</code>). The default <code>escapeValue:
true</code> configuration is unaffected because HTML-escaping
neutralises the quote before <code>JSON.parse</code>. See the <a
href="https://www.i18next.com/translation-function/nesting#security-note-interpolated-values-inside-a-nesting-options-block">security
note in the Nesting docs</a> for the full pattern and mitigations</li>
<li>security: apply <code>regexEscape</code> to
<code>unescapePrefix</code> / <code>unescapeSuffix</code> on par with
the other interpolation delimiters. Prevents ReDoS
(catastrophic-backtracking) when a misconfigured delimiter contains
regex metacharacters, and fixes silent breakage of the <code>{{-
var}}</code> syntax when the delimiter contains characters like
<code>(</code>, <code>[</code>, <code>.</code></li>
<li>security: strip CR/LF/NUL and other C0/C1 control characters from
string log arguments to prevent log forging via user-controlled
translation keys, language codes, namespaces, or interpolation variable
names (CWE-117)</li>
<li>chore: ignore <code>.env*</code> and
<code>*.pem</code>/<code>*.key</code> files in
<code>.gitignore</code></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="9d0ed9f98e"><code>9d0ed9f</code></a>
26.0.6</li>
<li><a
href="8c82564437"><code>8c82564</code></a>
security: hardening for 26.0.6 — nesting-options warning, regexEscape
unescap...</li>
<li><a
href="0cb018c363"><code>0cb018c</code></a>
chore: bump devDependencies</li>
<li>See full diff in <a
href="https://github.com/i18next/i18next/compare/v26.0.5...v26.0.6">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [@codemirror/view](https://github.com/codemirror/view) from 6.41.0
to 6.41.1.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/codemirror/view/commits">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
[//]: # (dependabot-start)
⚠️ **Dependabot is rebasing this PR** ⚠️
Rebasing might not happen immediately, so don't worry if this takes some
time.
Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.
---
[//]: # (dependabot-end)
Bumps
[eslint-plugin-react-hooks](https://github.com/facebook/react/tree/HEAD/packages/eslint-plugin-react-hooks)
from 7.1.0 to 7.1.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/facebook/react/releases">eslint-plugin-react-hooks's
releases</a>.</em></p>
<blockquote>
<h2>eslint-plugin-react-hooks@7.1.1 (April 17, 2026)</h2>
<p><strong>Note:</strong> 7.1.0 accidentally removed the
<code>component-hook-factories</code> rule, causing errors for users who
referenced it in their ESLint config. This is now fixed.</p>
<ul>
<li>Add deprecated no-op <code>component-hook-factories</code> rule for
backwards compatibility. (<a
href="https://github.com/mofeiZ"><code>@mofeiZ</code></a> in <a
href="https://redirect.github.com/facebook/react/pull/36307">#36307</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/facebook/react/blob/main/packages/eslint-plugin-react-hooks/CHANGELOG.md">eslint-plugin-react-hooks's
changelog</a>.</em></p>
<blockquote>
<h2>7.1.1</h2>
<p><strong>Note:</strong> 7.1.0 accidentally removed the
<code>component-hook-factories</code> rule, causing errors for users who
referenced it in their ESLint config. This is now fixed.</p>
<ul>
<li>Add deprecated no-op <code>component-hook-factories</code> rule for
backwards compatibility. (<a
href="https://github.com/mofeiZ"><code>@mofeiZ</code></a> in <a
href="https://redirect.github.com/facebook/react/pull/36307">#36307</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d1727fbf98"><code>d1727fb</code></a>
[eprh] Update changelog for 7.1.1 (<a
href="https://github.com/facebook/react/tree/HEAD/packages/eslint-plugin-react-hooks/issues/36308">#36308</a>)</li>
<li><a
href="bc249804d3"><code>bc24980</code></a>
[eprh] Add back a no-op for removed component-hook-factories rule (<a
href="https://github.com/facebook/react/tree/HEAD/packages/eslint-plugin-react-hooks/issues/36307">#36307</a>)</li>
<li>See full diff in <a
href="https://github.com/facebook/react/commits/eslint-plugin-react-hooks@7.1.1/packages/eslint-plugin-react-hooks">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
[//]: # (dependabot-start)
⚠️ **Dependabot is rebasing this PR** ⚠️
Rebasing might not happen immediately, so don't worry if this takes some
time.
Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.
---
[//]: # (dependabot-end)
Bumps [i18next](https://github.com/i18next/i18next) from 26.0.4 to
26.0.5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/i18next/i18next/releases">i18next's
releases</a>.</em></p>
<blockquote>
<h2>v26.0.5</h2>
<ul>
<li>fix: <code>cloneInstance().changeLanguage()</code> no longer fails
to update language state when the target language is not yet loaded — a
race between <code>init()</code>'s deferred <code>load()</code> and the
user's <code>changeLanguage()</code> could overwrite
<code>isLanguageChangingTo</code>, causing <code>setLngProps</code> to
be skipped <a
href="https://redirect.github.com/i18next/i18next/issues/2422">2422</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/i18next/i18next/blob/master/CHANGELOG.md">i18next's
changelog</a>.</em></p>
<blockquote>
<h2>26.0.5</h2>
<ul>
<li>fix: <code>cloneInstance().changeLanguage()</code> no longer fails
to update language state when the target language is not yet loaded — a
race between <code>init()</code>'s deferred <code>load()</code> and the
user's <code>changeLanguage()</code> could overwrite
<code>isLanguageChangingTo</code>, causing <code>setLngProps</code> to
be skipped <a
href="https://redirect.github.com/i18next/i18next/issues/2422">2422</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="ab4633fee0"><code>ab4633f</code></a>
26.0.5</li>
<li><a
href="bae3b8bca9"><code>bae3b8b</code></a>
fix: <code>cloneInstance().changeLanguage()</code> no longer fails to
update language st...</li>
<li>See full diff in <a
href="https://github.com/i18next/i18next/compare/v26.0.4...v26.0.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
dependabot[bot]