chore(deps): bump i18next-fs-backend from 1.1.5 to 2.6.6

[dependabot]

Bumps i18next-fs-backend from 1.1.5 to 2.6.6.

Changelog

Sourced from i18next-fs-backend's changelog.

2.6.6

Security release — coordinated disclosure from @​codeswhite. See published advisory GHSA-2933-q333-qg83.

• security: guard the in-memory setPath / pushPath traversal (utils.getLastOfPath) against prototype pollution via crafted missing-key strings. 2.6.4 sanitised lng/ns interpolation into filesystem paths, but did not cover the JSON-object walk that writeFile() performs on each queued missing-key entry: with the default keySeparator: '.', a key like __proto__.polluted was split into ['__proto__','polluted'] and walked straight into Object.prototype. The traversal helper now refuses to descend through __proto__, constructor, or prototype segments and drops the offending write silently; legitimate dotted keys (header.title) are unaffected. Reachable in practice via i18next-http-middleware's missingKeyHandler when exposed to untrusted input — see also the matching defence-in-depth fix in i18next-http-middleware 3.9.7. Credit: @​codeswhite (GHSA-2933-q333-qg83).

2.6.5

• fix: allow forward slashes in ns values so nested namespace names (mapping to subfolder locale files such as public/locales/en/a/b.json) load correctly again. 2.6.4's security fix applied the same strict path-segment check to both lng and ns, which was correct for lng (no BCP-47 shape contains /) but over-strict for ns — nested namespaces containing / were never officially supported, but the behaviour fell out of the implicit string-substitution semantics of loadPath and is common enough in the wild to be worth accommodating. isSafePathSegment is now split into isSafeLangSegment (strict — still rejects /) and isSafeNsSegment (loose — allows / but still rejects .., \, control chars, prototype keys, and oversized inputs). isSafePathSegment is kept as a backwards-compatible alias for the strict check. The 2.6.4 security fix remains in force for every concrete attack pattern from the original advisory. Fixes #74.

2.6.4

Security release — all issues found via an internal audit. See published advisory GHSA-8847-338w-5hcj.

• security: refuse to build filesystem paths when lng or ns values contain .., path separators (/, \), control characters, prototype keys (__proto__ / constructor / prototype), or exceed 128 chars. Prevents arbitrary filesystem read / write via attacker-controlled language-code values. Any legitimate i18next language-code shape (BCP-47-like, underscores, hyphens, dots, +-joined multi-language requests) is still accepted (GHSA-8847-338w-5hcj)
• docs: new "Security considerations" README section — documents the filesystem-path sanitiser and clarifies the trust model around .js/.ts locale files (their content is eval-ed, so they must be treated as code). The eval behaviour itself is retained: dynamic expressions in .js/.ts locale files are an intentional feature, and safe replacements like import() are async-only and not viable for this sync-capable code path.
• chore: ignore .env* and *.pem/*.key files in .gitignore.

2.6.3

• use own interpolation function instead of relying on i18next's interpolator

2.6.1

• Bump js-yaml from 4.1.0 to 4.1.1 (#64)

2.6.0

• support initImmediate -> initAsync renaming of i18next v24

2.5.0

• fix for Deno 2 and removal of unnecessary .cjs file
• for esm build environments not supporting top-level await, you should import the i18next-fs-backend/cjs export or stay at v2.4.0

Commits

• 0fff98b 2.6.6
• 3ab0448 security: guard setPath/pushPath traversal against prototype pollution
• 321916b Add Locize advice section near the top of README
• 47d7198 Modernize locize.com URLs and refresh UTM tags
• f24b597 docs: clarify that nested-ns with slashes was never officially supported
• c5c2f2a 2.6.5
• a910688 fix: allow forward slashes in ns values (fixes #74)
• deced92 Bump i18next-http-backend in /example/updatable-cache (#73)
• ca78fd4 Bump i18next-http-backend from 2.6.2 to 3.0.5 in /example/caching (#72)
• 8651d31 Bump i18next-fs-backend from 2.4.0 to 2.6.4 in /example/updatable-cache (#71)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: Content - Dependences. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.