Bump i18next-fs-backend from 2.6.0 to 2.6.6

[dependabot]

Bumps i18next-fs-backend from 2.6.0 to 2.6.6.

Changelog

Sourced from i18next-fs-backend's changelog.

2.6.6

Security release — coordinated disclosure from @​codeswhite. See published advisory GHSA-2933-q333-qg83.

• security: guard the in-memory setPath / pushPath traversal (utils.getLastOfPath) against prototype pollution via crafted missing-key strings. 2.6.4 sanitised lng/ns interpolation into filesystem paths, but did not cover the JSON-object walk that writeFile() performs on each queued missing-key entry: with the default keySeparator: '.', a key like __proto__.polluted was split into ['__proto__','polluted'] and walked straight into Object.prototype. The traversal helper now refuses to descend through __proto__, constructor, or prototype segments and drops the offending write silently; legitimate dotted keys (header.title) are unaffected. Reachable in practice via i18next-http-middleware's missingKeyHandler when exposed to untrusted input — see also the matching defence-in-depth fix in i18next-http-middleware 3.9.7. Credit: @​codeswhite (GHSA-2933-q333-qg83).

2.6.5

• fix: allow forward slashes in ns values so nested namespace names (mapping to subfolder locale files such as public/locales/en/a/b.json) load correctly again. 2.6.4's security fix applied the same strict path-segment check to both lng and ns, which was correct for lng (no BCP-47 shape contains /) but over-strict for ns — nested namespaces containing / were never officially supported, but the behaviour fell out of the implicit string-substitution semantics of loadPath and is common enough in the wild to be worth accommodating. isSafePathSegment is now split into isSafeLangSegment (strict — still rejects /) and isSafeNsSegment (loose — allows / but still rejects .., \, control chars, prototype keys, and oversized inputs). isSafePathSegment is kept as a backwards-compatible alias for the strict check. The 2.6.4 security fix remains in force for every concrete attack pattern from the original advisory. Fixes #74.

2.6.4

Security release — all issues found via an internal audit. See published advisory GHSA-8847-338w-5hcj.

• security: refuse to build filesystem paths when lng or ns values contain .., path separators (/, \), control characters, prototype keys (__proto__ / constructor / prototype), or exceed 128 chars. Prevents arbitrary filesystem read / write via attacker-controlled language-code values. Any legitimate i18next language-code shape (BCP-47-like, underscores, hyphens, dots, +-joined multi-language requests) is still accepted (GHSA-8847-338w-5hcj)
• docs: new "Security considerations" README section — documents the filesystem-path sanitiser and clarifies the trust model around .js/.ts locale files (their content is eval-ed, so they must be treated as code). The eval behaviour itself is retained: dynamic expressions in .js/.ts locale files are an intentional feature, and safe replacements like import() are async-only and not viable for this sync-capable code path.
• chore: ignore .env* and *.pem/*.key files in .gitignore.

2.6.3

• use own interpolation function instead of relying on i18next's interpolator

2.6.1

• Bump js-yaml from 4.1.0 to 4.1.1 (#64)

Commits

• 0fff98b 2.6.6
• 3ab0448 security: guard setPath/pushPath traversal against prototype pollution
• 321916b Add Locize advice section near the top of README
• 47d7198 Modernize locize.com URLs and refresh UTM tags
• f24b597 docs: clarify that nested-ns with slashes was never officially supported
• c5c2f2a 2.6.5
• a910688 fix: allow forward slashes in ns values (fixes #74)
• deced92 Bump i18next-http-backend in /example/updatable-cache (#73)
• ca78fd4 Bump i18next-http-backend from 2.6.2 to 3.0.5 in /example/caching (#72)
• 8651d31 Bump i18next-fs-backend from 2.4.0 to 2.6.4 in /example/updatable-cache (#71)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
stakes-social	Ignored		Jun 30, 2026 11:03am