chore(deps): bump the prod-dependencies group with 5 updates

[dependabot]

Bumps the prod-dependencies group with 5 updates:

Package	From	To
@fastify/static	9.1.1	9.1.3
openid-client	6.8.3	6.8.4
i18next	26.0.5	26.0.8
react-i18next	17.0.4	17.0.6
react-router-dom	7.14.1	7.14.2

Updates @fastify/static from 9.1.1 to 9.1.3

Release notes

Sourced from @​fastify/static's releases.

v9.1.3

What's Changed

• fix: support wildcard prefixes with route params by @​mcollina in fastify/fastify-static#576

Full Changelog: fastify/fastify-static@v9.1.2...v9.1.3

v9.1.2

What's Changed

• fix: resolve wildcard paths in encapsulated contexts by @​mcollina in fastify/fastify-static#574

Full Changelog: fastify/fastify-static@v9.1.1...v9.1.2

Commits

• 880c1a6 Bumped v9.1.3
• 7f92da5 fix: support wildcard prefixes with route params (#576)
• b0a66d5 Bumped v9.1.2
• 32af863 fix: resolve wildcard paths in encapsulated contexts (#574)
• See full diff in compare view

Updates openid-client from 6.8.3 to 6.8.4

Release notes

Sourced from openid-client's releases.

v6.8.4

Fixes

• apply optional non-repudiation on generic grant ID Tokens (6202888)
• filter jwe decryption keys by algorithm (34e2ffd)
• preserve poll abort signals on requests (96a2d17)
• retry dpop nonce errors for generic grants (498c4d9)

Changelog

Sourced from openid-client's changelog.

6.8.4 (2026-04-27)

Fixes

• apply optional non-repudiation on generic grant ID Tokens (6202888)
• filter jwe decryption keys by algorithm (34e2ffd)
• preserve poll abort signals on requests (96a2d17)
• retry dpop nonce errors for generic grants (498c4d9)

Commits

• c645695 chore(release): 6.8.4
• ee60464 chore: update CHANGELOG.md header
• 96a2d17 fix: preserve poll abort signals on requests
• 34e2ffd fix: filter jwe decryption keys by algorithm
• 6202888 fix: apply optional non-repudiation on generic grant ID Tokens
• 498c4d9 fix: retry dpop nonce errors for generic grants
• 35042cf chore: cleanup after release
• See full diff in compare view

Updates i18next from 26.0.5 to 26.0.8

Release notes

Sourced from i18next's releases.

v26.0.8

• fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

v26.0.7

• fix: when a plural lookup misses, the missingKey debug log now shows the actual plural-resolved key (e.g. foo.bar_many for Polish count: 14) instead of the base key — making it obvious which plural category was expected and missing 2423
• chore: drop @babel/runtime runtime dependency. The build no longer generates any @babel/runtime imports, so the package is unused by consumers. Rollup now uses babelHelpers: 'bundled' so any helpers that are ever needed in the future will be inlined rather than imported externally 2424
• chore: stop emitting dist/esm/i18next.bundled.js. It was byte-identical to dist/esm/i18next.js because no helpers were being imported 2424

v26.0.6

Security release — all issues found via an internal audit. GHSA advisory filed after release.

• security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security docs for mitigation guidance (GHSA-TBD)
• security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
• security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)
• chore: ignore .env* and *.pem/*.key files in .gitignore

Changelog

Sourced from i18next's changelog.

26.0.8

• fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

26.0.7

• fix: when a plural lookup misses, the missingKey debug log now shows the actual plural-resolved key (e.g. foo.bar_many for Polish count: 14) instead of the base key — making it obvious which plural category was expected and missing 2423
• chore: drop @babel/runtime runtime dependency. The build no longer generates any @babel/runtime imports, so the package is unused by consumers. Rollup now uses babelHelpers: 'bundled' so any helpers that are ever needed in the future will be inlined rather than imported externally 2424
• chore: stop emitting dist/esm/i18next.bundled.js. It was byte-identical to dist/esm/i18next.js because no helpers were being imported 2424

26.0.6

Security release — all issues found via an internal audit.

• security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security note in the Nesting docs for the full pattern and mitigations
• security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
• security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)
• chore: ignore .env* and *.pem/*.key files in .gitignore

Commits

• 3ea438f 26.0.8
• 5176bbd retry version bump
• 10b48c6 26.0.8
• 9fdd99a retry version bump
• 9ee7da1 changelog
• 8ce5e26 26.0.8
• e802567 fix(types): restore ExistsFunction shape to keep arrow-function wrappers as...
• ce06fba 26.0.7
• ca33377 chore: drop unused @​babel/runtime dep and redundant bundled ESM output
• 8abe4e6 fix: show resolved plural key in missingKey debug log
• Additional commits viewable in compare view

Updates react-i18next from 17.0.4 to 17.0.6

Changelog

Sourced from react-i18next's changelog.

17.0.6

• fix: restore the v17 nodesToString output format consumed by i18next-cli's extractor while still rendering 1919 correctly
  • 17.0.5 fixed 1919 by changing what nodesToString produced, which inadvertently changed the extracted translation strings for keep-tags wrapping non-keep React elements
  • The fix now lives in the renderer: indexed <N> placeholders nested inside a keep-tag are scoped to that tag's own original React children (matching kept tags by name and positional occurrence at each level), so the translation string format produced by nodesToString is unchanged

17.0.5

• fix: <Trans /> no longer breaks child rendering when a kept HTML node (transKeepBasicHtmlNodesFor) wraps a non-keep React element 1919 — superseded by 17.0.6, which keeps the same runtime fix without changing the nodesToString output

Commits

• cb20d18 17.0.6
• b8ad5e4 fix: scope indexed placeholders inside keep-tags at render time #1919
• 75ce985 17.0.5
• 9803bb8 fix: <Trans /> no longer breaks child rendering when a kept HTML node (transK...
• ec37a48 chore: ignore .env*, *.pem, *.key in .gitignore
• See full diff in compare view

Updates react-router-dom from 7.14.1 to 7.14.2

Changelog

Sourced from react-router-dom's changelog.

v7.14.2

Patch Changes

• Updated dependencies:
  • react-router@7.14.2

Commits

• cf1d250 Release v7.14.2 (#14993)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions