Bump the npm-dependencies group across 1 directory with 37 updates

[dependabot]

Bumps the npm-dependencies group with 36 updates in the / directory:

Package	From	To
@kenjiuno/msgreader	1.27.1-alpha.1	1.28.0
@matbee/libreoffice-converter	2.3.1	2.6.0
@tailwindcss/vite	4.1.18	4.2.4
archiver	7.0.1	8.0.0
cropperjs	1.6.2	2.1.1
i18next	25.7.3	26.0.10
i18next-browser-languagedetector	8.2.0	8.2.1
i18next-http-backend	3.0.2	4.0.0
jspdf	4.2.0	4.2.1
lucide	0.546.0	1.14.0
mermaid	11.12.2	11.14.0
pdfjs-dist	5.4.530	5.7.284
pdfkit	0.17.2	0.18.0
postal-mime	2.7.1	2.7.4
sortablejs	1.15.6	1.15.7
terser	5.44.1	5.47.1
tesseract.js	6.0.1	7.0.0
vite-plugin-static-copy	3.1.4	4.1.0
zgapdfsigner	2.7.5	2.7.6
@eslint/js	9.39.2	10.0.1
@types/pdfkit	0.17.4	0.17.6
@vitejs/plugin-basic-ssl	2.1.4	2.3.0
@vitest/coverage-v8	3.2.4	4.1.5
@vitest/ui	3.2.4	4.1.5
eslint	9.39.2	10.3.0
globals	17.0.0	17.6.0
jsdom	27.4.0	29.1.1
lint-staged	16.2.7	17.0.2
prettier	3.7.4	3.8.3
typescript	5.9.3	6.0.3
typescript-eslint	8.51.0	8.59.2
vite	7.3.0	8.0.11
vite-plugin-handlebars	2.0.0	2.0.3
vite-plugin-node-polyfills	0.24.0	0.26.0
vitest	3.2.4	4.1.5
vue	3.5.26	3.5.34

Updates @kenjiuno/msgreader from 1.27.1-alpha.1 to 1.28.0

Commits

• See full diff in compare view

Updates @matbee/libreoffice-converter from 2.3.1 to 2.6.0

Release notes

Sourced from @​matbee/libreoffice-converter's releases.

v2.6.0

2.6.0 (2026-03-17)

Bug Fixes

• add eslint-disable for unsafe jszip dynamic import access (a35d876)
• exclude WASM converter tests from CI (36255d0)
• fix Release workflow checkout and test step (6455ca4)
• use single glob pattern for vitest --exclude (e5e1f54)

Features

• add font packaging script and zip loading helpers (78f2343)
• add runtime font injection for WASM virtual filesystem (7efb2ff)
• add system font loading, fontsource integration, and font bundle CI (c511c03)

v2.5.1

2.5.1 (2026-03-13)

Bug Fixes

• conditionally log wasm loading based on verbose flag (2ff3e80)

v2.5.0

2.5.0 (2026-01-21)

Features

• Implement CSV import filter options for LibreOffice conversion (6fffed5)

v2.4.0

2.4.0 (2026-01-16)

Features

• Enhance worker management and directory setup for LibreOffice conversion (515a294)
• Update test configuration (cd69525)

Changelog

Sourced from @​matbee/libreoffice-converter's changelog.

2.6.0 (2026-03-17)

Bug Fixes

• add eslint-disable for unsafe jszip dynamic import access (a35d876)
• exclude WASM converter tests from CI (36255d0)
• fix Release workflow checkout and test step (6455ca4)
• use single glob pattern for vitest --exclude (e5e1f54)

Features

• add font packaging script and zip loading helpers (78f2343)
• add runtime font injection for WASM virtual filesystem (7efb2ff)
• add system font loading, fontsource integration, and font bundle CI (c511c03)

2.5.1 (2026-03-13)

Bug Fixes

• conditionally log wasm loading based on verbose flag (2ff3e80)

2.5.0 (2026-01-21)

Features

• Implement CSV import filter options for LibreOffice conversion (6fffed5)

2.4.0 (2026-01-16)

Features

• Enhance worker management and directory setup for LibreOffice conversion (515a294)
• Update test configuration (cd69525)

Commits

• 1bfae4a chore(release): 2.6.0 [skip ci]
• 4c91e79 Merge pull request #11 from matbeedotcom/feat/font-injection
• 6455ca4 fix: fix Release workflow checkout and test step
• a59ffb7 Merge pull request #10 from matbeedotcom/feat/font-injection
• e5e1f54 fix: use single glob pattern for vitest --exclude
• 3e4b450 Merge pull request #9 from matbeedotcom/feat/font-injection
• 36255d0 fix: exclude WASM converter tests from CI
• dd3e830 Merge pull request #8 from matbeedotcom/feat/font-injection
• 1183a88 chore: add CI workflow for pull request checks
• 6a0a016 Merge pull request #7 from matbeedotcom/feat/font-injection
• Additional commits viewable in compare view

Updates @tailwindcss/vite from 4.1.18 to 4.2.4

Release notes

Sourced from @​tailwindcss/vite's releases.

v4.2.4

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

v4.2.3

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#19846)
• Upgrade: never migrate files that are ignored by git (#19846)
• Add .env and .env.* to default ignored content files (#19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#19858)
• Improve performance when scanning JSONL / NDJSON files (#19862)
• Support NODE_PATH environment variable in standalone CLI (#19617)

v4.2.2

Added

• Support Vite 8 in @tailwindcss/vite (#19790)

Fixed

• Don't crash when candidates contain prototype properties like row-constructor (#19725)
• Canonicalize calc(var(--spacing)*…) expressions into --spacing(…) (#19769)
• Fix crash in canonicalization step when handling utilities containing @property at-rules (e.g. shadow-sm border) (#19727)
• Skip full reload for server only modules scanned by client CSS when using @tailwindcss/vite (#19745)
• Improve canonicalization for bare values exceeding default spacing scale suggestions (e.g. w-1234 h-1234 → size-1234) (#19809)
• Fix canonicalization resulting in empty list (e.g. w-5 h-5 size-5 → '' instead of size-5) (#19812)

v4.2.1

Fixed

• Allow trailing dash in functional utility names for backwards compatibility (#19696)
• Properly detect classes containing . characters within curly braces in MDX files (#19711)

... (truncated)

Changelog

Sourced from @​tailwindcss/vite's changelog.

[4.2.4] - 2026-04-21

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

[4.2.3] - 2026-04-20

Fixed

• Canonicalization: improve canonicalization for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#19846)
• Upgrade: never migrate files that are ignored by git (#19846)
• Add .env and .env.* to default ignored content files (#19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#19858)
• Improve performance when scanning JSONL / NDJSON files (#19862)
• Support NODE_PATH environment variable in standalone CLI (#19617)

[4.2.2] - 2026-03-18

Fixed

• Don't crash when candidates contain prototype properties like row-constructor (#19725)
• Canonicalize calc(var(--spacing)*…) expressions into --spacing(…) (#19769)
• Fix crash in canonicalization step when handling utilities containing @property at-rules (e.g. shadow-sm border) (#19727)
• Skip full reload for server only modules scanned by client CSS when using @tailwindcss/vite (#19745)
• Add support for Vite 8 in @tailwindcss/vite (#19790)
• Improve canonicalization for bare values exceeding default spacing scale suggestions (e.g. w-1234 h-1234 → size-1234) (#19809)
• Fix canonicalization resulting in empty list (e.g. w-5 h-5 size-5 → '' instead of size-5) (#19812)
• Resolve tsconfig paths to allow for @import '@/path/to/file'; when using @tailwindcss/vite (#19803)

[4.2.1] - 2026-02-23

Fixed

• Allow trailing dash in functional utility names for backwards compatibility (#19696)

... (truncated)

Commits

• 69ad7cc 4.2.4 (#19948)
• 685c19e Fix issue around resolving paths in @tailwindcss/vite (#19947)
• 2e3fa49 4.2.3 (#19944)
• 5cb1efd fix(vite): resolve tsconfig paths in CSS and JS resolvers (#19803)
• d596b0c 4.2.2 (#19821)
• faa5e88 Cleanup inconsistencies related to (regex) escapes (#19804)
• 59b0329 Add support for Vite 8 in @tailwindcss/vite (#19790)
• bf441a7 fix(vite): skip full reload for server only modules scanned by client css (#1...
• 1dce64e 4.2.1 (#19714)
• 1b16411 4.2.0 (#19695)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tailwindcss/vite since your current version.

Updates archiver from 7.0.1 to 8.0.0

Release notes

Sourced from archiver's releases.

8.0.0

What’s changed

Breaking changes

• esm: node v18+ required @​ctalkington (#790)

Maintenance

• Update actions/checkout action to v4.1.6 @renovate[bot] (#758)
• Update actions/checkout action to v4.1.7 @renovate[bot] (#767)
• Update actions/setup-node action to v4.0.3 @renovate[bot] (#775)
• Update actions/checkout action to v4.2.1 @renovate[bot] (#786)
• Update actions/setup-node action to v4.0.4 @renovate[bot] (#784)
• Update actions/setup-node action to v4.2.0 @renovate[bot] (#797)
• Update actions/checkout action to v4.2.2 @renovate[bot] (#796)
• Update release-drafter/release-drafter action to v6.1.0 @renovate[bot] (#805)
• Update actions/setup-node action to v4.4.0 @renovate[bot] (#811)
• Update release-drafter/release-drafter action to v6.4.0 @renovate[bot] (#825)
• Update actions/checkout action to v4.3.1 @renovate[bot] (#826)
• Update actions/setup-node action to v6 @renovate[bot] (#827)
• Update actions/checkout action to v6 @renovate[bot] (#833)
• Update release-drafter/release-drafter action to v7 @renovate[bot] (#836)

Documentation

• Add glob method's options.cwd to API docs @​PixievoltNo1 (#756)
• release 8.0.0 @​ctalkington (#832)

Dependency updates

• Update actions/checkout action to v4.1.6 @renovate[bot] (#758)
• Lock file maintenance @renovate[bot] (#752)
• Update dependency readdir-glob to v2 @renovate[bot] (#755)
• Update dependency yauzl to v3.1.3 @renovate[bot] (#757)
• Update dependency jsdoc to v4.0.3 @renovate[bot] (#761)
• Update dependency mocha to v10.4.0 @renovate[bot] (#750)
• Update dependency tar to v6.2.1 @renovate[bot] (#749)
• Update actions/checkout action to v4.1.7 @renovate[bot] (#767)
• Update actions/setup-node action to v4.0.3 @renovate[bot] (#775)
• Lock file maintenance @renovate[bot] (#771)
• Update actions/checkout action to v4.2.1 @renovate[bot] (#786)
• Update dependency mocha to v10.7.3 @renovate[bot] (#769)
• Lock file maintenance @renovate[bot] (#789)
• Update actions/setup-node action to v4.0.4 @renovate[bot] (#784)
• Update dependency chai to v4.5.0 @renovate[bot] (#779)
• Update dependency rimraf to v5.0.10 @renovate[bot] (#766)
• Update docusaurus monorepo to v3.5.2 @renovate[bot] (#751)
• Lock file maintenance @renovate[bot] (#795)
• Update actions/setup-node action to v4.2.0 @renovate[bot] (#797)

... (truncated)

Changelog

Sourced from archiver's changelog.

Changelog

8.0.0 - May 8, 2026 — Diff

7.0.1 - March 9, 2024 — Diff

7.0.0 - February 28, 2024 — Diff

6.0.2 - February 27, 2024 — Diff

6.0.1 - September 3, 2023 — Diff

6.0.0 - August 17, 2023 — Diff

Release Archive

Commits

• 52d1d34 release 8.0.0 (#832)
• 5547c6d Update dependency zip-stream to v7.0.5 (#837)
• 08c7370 Update release-drafter/release-drafter action to v7 (#836)
• 8810635 Update dependency mocha to v11 (#806)
• 756d1a1 Update docusaurus monorepo to v3.10.1 (#804)
• 74725a7 Update dependency rimraf to v6 (#774)
• 0a42a6c Update dependency chai to v6 (#834)
• 639553b Update dependency zip-stream to v7.0.4 (#830)
• 1d550c6 Update actions/checkout action to v6 (#833)
• fed1618 Update dependency yauzl to v3.3.0 (#831)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for archiver since your current version.

Updates cropperjs from 1.6.2 to 2.1.1

Release notes

Sourced from cropperjs's releases.

v2.1.1

See CHANGELOG.md for details.

v2.1.0

What's Changed

• fix(element-selection): get correct event target in shadow DOM by @​fleeze in fengyuanchen/cropperjs#1276

New Contributors

• @​fleeze made their first contribution in fengyuanchen/cropperjs#1276

Full Changelog: fengyuanchen/cropperjs@v2.0.1...v2.1.0

v2.0.1

What's Changed

• fix #1078 Prevent shade from "glitching" when pulling selection too far by @​valetobias in fengyuanchen/cropperjs#1242
• fix: set crossorigin attribute on cropper image element by @​ArneSchoonvliet in fengyuanchen/cropperjs#1253
• fix: correct require.node.default export and explicitly export package.json by @​miguelaenlle in fengyuanchen/cropperjs#1259

New Contributors

• @​valetobias made their first contribution in fengyuanchen/cropperjs#1242
• @​ArneSchoonvliet made their first contribution in fengyuanchen/cropperjs#1253
• @​miguelaenlle made their first contribution in fengyuanchen/cropperjs#1259

Full Changelog: fengyuanchen/cropperjs@v2.0.0...v2.0.1

v2.0.0

Full Changelog: fengyuanchen/cropperjs@v2.0.0-rc.2...v2.0.0

v2.0.0-rc

Features

• CropperImage
  • Add a new property: initial-center-size.
• CropperSelection
  • Add a new property: linked => dynamic.

Breaking Changes

• CropperImage
  • Change the default value of the rotatable property from true to false.
  • Change the default value of the scalable property from true to false.
  • Change the default value of the skewable property from true to false.
  • Change the default value of the translatable property from true to false.

Full Changelog: fengyuanchen/cropperjs@v2.0.0-beta.5...v2.0.0-rc

v2.0.0-rc.0

Breaking Changes

• CropperSelection

... (truncated)

Changelog

Sourced from cropperjs's changelog.

2.1.1 (2026-04-06)

• chore: update dependencies (d3af648)
• fix(element-image): always center the image, even if it is neither translatable nor scalable (a03c93a), closes #1292
• fix(element-shade): re-render the shade on window resize (26de54d)
• fix(element-shade): use window.devicePixelRatio to calculate the correct outline width (b32a975), closes #1284
• fix(element-viewer): fix incorrect preview size when using SVG image format in Safari (acc8771), closes #1290
• ci: add workflow for creating release (3034097)
• ci: add workflow for publishing package to npm (a2e2fcd)
• ci: update GitHub Actions to use latest versions of checkout and setup-node actions (ba945ab)
• docs: add Hello World example (a586dcb), closes #1282

2.1.0 (2025-10-19)

• build: release v2.1.0 (268be1a)
• docs: fix value of free aspect ratio (5b4e96f), closes #1274
• refactor(element-shade): use selection itself when default prevented (0673f15)
• fix(element-image): ensure the image is fully rendered (5afd8f3), closes #1168
• fix(element-selection): get correct event target in shadow DOM (#1276) (e64d6c3), closes #1276
• fix(element-shade): fix shade size when selection changes (98c101c)
• fix(element): call attachShadow only if shadowRoot does not exist (75cabcf), closes #1217
• feat(cropperjs): add destroy method (6a933e3), closes #1271

2.0.1 (2025-07-25)

• build: add missing /dist paths (42dba8b)
• build: release v2.0.1 (6b8e5ff)
• fix: correct require.node.default export and explicitly export package.json (#1259) (97f8787), closes #1259
• fix: set crossorigin attribute on cropper image element (#1253) (f11026c), closes #1253
• fix(cropper-selection): improve selection movement logic for better user experience (e7e3510)
• fix(cropperjs): fix container query issue when in a custom element (4fea6fd)
• fix(cropperjs): inherit additional attributes from HTMLImageElement (cb5a341)
• fix(element-image): add missing attributes (type declarations) (2e46715), closes #1233
• fix(element-shade): get data from event.detail when the selection is dynamic (f6b2847)
• fix(element-shade): get data from event.detail when there are multiple selections (09fd9ca)
• fix(element-shade): prevent shade from "glitching" when pulling selection too far (#1242) (2dab6ff), closes #1242 #1078
• fix(element-viewer): fix selection query issue when in a custom element (aecee79), closes #1245
• fix(element-viewer): transform the image by the selection offset after the next DOM update cycle (04a2c8b), closes #1258
• test(cropper): remove support for HTMLCanvasElement and improve container handling in tests (91d5ab3)
• test(cropperjs): add container option to getCropperSelections test (69a0ab6)
• refactor(element-shade): rename selection event handler for better readability (c960217)
• docs: explain that jQuery Cropper only available for Cropper.js 1.0 now (3df9b20)

2.0.0 (2025-03-01)

... (truncated)

Commits

• 0bbb4de build: release 2.1.1
• 268be1a build: release v2.1.0
• 6a933e3 feat(cropperjs): add destroy method
• 6b8e5ff build: release v2.0.1
• 42dba8b build: add missing /dist paths
• 97f8787 fix: correct require.node.default export and explicitly export package.json (...
• 91d5ab3 test(cropper): remove support for HTMLCanvasElement and improve container han...
• 69a0ab6 test(cropperjs): add container option to getCropperSelections test
• cb5a341 fix(cropperjs): inherit additional attributes from HTMLImageElement
• f11026c fix: set crossorigin attribute on cropper image element (#1253)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for cropperjs since your current version.

Updates i18next from 25.7.3 to 26.0.10

Release notes

Sourced from i18next's releases.

v26.0.10

• feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

v26.0.9

• fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

v26.0.8

• fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

v26.0.7

• fix: when a plural lookup misses, the missingKey debug log now shows the actual plural-resolved key (e.g. foo.bar_many for Polish count: 14) instead of the base key — making it obvious which plural category was expected and missing 2423
• chore: drop @babel/runtime runtime dependency. The build no longer generates any @babel/runtime imports, so the package is unused by consumers. Rollup now uses babelHelpers: 'bundled' so any helpers that are ever needed in the future will be inlined rather than imported externally 2424
• chore: stop emitting dist/esm/i18next.bundled.js. It was byte-identical to dist/esm/i18next.js because no helpers were being imported 2424

v26.0.6

Security release — all issues found via an internal audit. GHSA advisory filed after release.

• security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security docs for mitigation guidance (GHSA-TBD)
• security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
• security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)
• chore: ignore .env* and *.pem/*.key files in .gitignore

v26.0.5

• fix: cloneInstance().changeLanguage() no longer fails to update language state when the target language is not yet loaded — a race between init()'s deferred load() and the user's changeLanguage() could overwrite isLanguageChangingTo, causing setLngProps to be skipped 2422

v26.0.4

• fix(types): inline formatting options like {{price, currency(EUR)}} are now correctly resolved to their base format type (e.g. number for currency) instead of falling back to string 2378

v26.0.3

• fix(types): addResourceBundle now accepts an optional 6th options parameter ({ silent?: boolean; skipCopy?: boolean }) matching the runtime API 2419

v26.0.2

• fix(types): t("key", {} as TOptions) no longer produces a type error — the context constraint now bypasses strict checking when context is unknown (e.g. from TOptions) 2418

v26.0.1

• fix: Formatter no longer crashes when alwaysFormat is true and no format specifier is present (format is undefined)
• fix: Formatter now returns undefined/null values as-is instead of producing NaN when the value is missing

v26.0.0

This is a major breaking release:

Breaking Changes

• Remove deprecated initImmediate option — the backward-compatibility mapping from initImmediate to initAsync (introduced in v24) has been removed. Use initAsync instead.
• Remove legacy interpolation.format function — the old monolithic format function (interpolation: { format: (value, format, lng) => ... }) is no longer supported. The built-in Formatter (or a custom Formatter module via .use()) is now always used. Migrate to the new formatting approach using i18next.services.formatter.add() or .addCached() for custom formatters.
• Remove console support notice — the console support notice introduced in v25.8.0 has been removed, along with the showSupportNotice option and all related internal suppression logic (globalThis.__i18next_supportNoticeShown, I18NEXT_NO_SUPPORT_NOTICE env var). See our blog post for the full story.
• Remove simplifyPluralSuffix optionDescription has been truncated

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
pd-fusion	Error		May 8, 2026 9:42am

[dependabot]

Dependabot couldn't access the repository. Because of this, Dependabot cannot update this pull request.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.