chore: bump the npm-major group across 1 directory with 26 updates

[dependabot]

Bumps the npm-major group with 26 updates in the / directory:

Package	From	To
@atlaskit/pragmatic-drag-and-drop-auto-scroll	1.4.0	2.1.5
domhandler	5.0.3	6.0.1
emojibase	15.3.1	17.0.0
emojibase-data	15.3.2	17.0.0
focus-trap-react	10.3.1	12.0.2
html-dom-parser	5.1.8	7.1.0
html-react-parser	4.2.10	6.1.1
i18next	25.8.17	26.2.0
i18next-http-backend	2.7.3	4.0.0
immer	9.0.21	11.1.8
matrix-js-sdk	38.4.0	41.5.0
react	18.3.1	19.2.6
@types/react	18.3.28	19.2.14
react-dom	18.3.1	19.2.6
@types/react-dom	18.3.7	19.2.3
react-google-recaptcha	2.1.0	3.1.0
react-i18next	16.5.7	17.0.8
react-router-dom	6.30.3	7.15.1
ua-parser-js	1.0.41	2.0.9
@types/node	24.10.13	25.9.0
@vitejs/plugin-react	5.1.4	6.0.2
knip	5.85.0	6.14.1
typescript	5.9.3	6.0.3
vite	7.3.1	8.0.13
vite-plugin-static-copy	3.2.0	4.1.0
vite-plugin-svgr	4.5.0	5.2.0

Updates @atlaskit/pragmatic-drag-and-drop-auto-scroll from 1.4.0 to 2.1.5

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by atlassianartifactteam, a new releaser for @​atlaskit/pragmatic-drag-and-drop-auto-scroll since your current version.

Updates domhandler from 5.0.3 to 6.0.1

Release notes

Sourced from domhandler's releases.

v6.0.1

What's Changed

• add JSR import map for domelementtype

Full Changelog: fb55/domhandler@v6.0.0...v6.0.1

v6.0.0

What's Changed

BREAKING: domhandler is now ESM-only fb55/domhandler#1867

Full Changelog: fb55/domhandler@v5.0.3...v6.0.0

Commits

• 8f66071 6.0.1
• 39183cd ci: add JSR import map for domelementtype
• a54417e build(deps-dev): Bump @​feedic/eslint-config from 0.2.3 to 0.3.1 (#1865)
• 1346b9c 6.0.0
• 4a790c7 refactor!: ESM-only (#1867)
• 39f39e9 build(deps-dev): Bump typescript-eslint from 8.57.0 to 8.57.1 (#1866)
• 5a45546 build(deps-dev): Bump @​eslint/compat from 2.0.2 to 2.0.3 (#1864)
• 76be7b1 build(deps-dev): Bump typescript-eslint from 8.56.1 to 8.57.0 (#1863)
• 07eb031 build(deps-dev): Bump @​biomejs/biome from 2.4.6 to 2.4.7 (#1862)
• 5d68735 chore: Remove Tidelift funding information (#1861)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for domhandler since your current version.

Updates emojibase from 15.3.1 to 17.0.0

Release notes

Sourced from emojibase's releases.

emojibase-data@17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

Patch Changes

• Updated dependencies [806c507]
  • emojibase@17.0.0

emojibase-regex@17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

emojibase-test-utils@17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

Patch Changes

• Updated dependencies [806c507]
  • emojibase@17.0.0

emojibase@17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

emojibase-data@16.0.3

Patch Changes

• 53fcdc1: Updated Chinese Traditional translations.

emojibase-data@16.0.2

Patch Changes

• d0e4bcc: Fixed a broken publish.

emojibase-data@16.0.1

Patch Changes

• 3faf950: Add missing files and types for vi data.

emojibase-data@16.0.0

Major Changes

• e9b9a9a: Add vi (Vietnamese) language.
• d237386: Update to Emoji v16 and CLDR 46.

... (truncated)

Changelog

Sourced from emojibase's changelog.

17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

16.0.0

Major Changes

• e9b9a9a: Add vi (Vietnamese) language.
• d237386: Update to Emoji v16 and CLDR 46.
• d237386: Drop Node.js v16 support. Requires >= v18.12.

All notable changes to this project will be documented in this file. See Conventional Commits for commit guidelines.

Commits

• a5fc630 chore: Version packages (#194)
• 50f5455 release: Emoji v17 / CLDR 48 (#193)
• 4f06163 Version Packages (#182)
• e9b9a9a new: Add vi (Vietnamese) language (#179)
• 04b7926 release: Update to Emoji v16 and CLDR 46. (#180)
• 8af1353 breaking: Drop Node.js v16 support. Requires >= v18.12. (#172)
• See full diff in compare view

Updates emojibase-data from 15.3.2 to 17.0.0

Release notes

Sourced from emojibase-data's releases.

emojibase-data@17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

Patch Changes

• Updated dependencies [806c507]
  • emojibase@17.0.0

emojibase-data@16.0.3

Patch Changes

• 53fcdc1: Updated Chinese Traditional translations.

emojibase-data@16.0.2

Patch Changes

• d0e4bcc: Fixed a broken publish.

emojibase-data@16.0.1

Patch Changes

• 3faf950: Add missing files and types for vi data.

emojibase-data@16.0.0

Major Changes

• e9b9a9a: Add vi (Vietnamese) language.
• d237386: Update to Emoji v16 and CLDR 46.
• d237386: Drop Node.js v16 support. Requires >= v18.12.

Patch Changes

• Updated dependencies [e9b9a9a]
• Updated dependencies [d237386]
• Updated dependencies [d237386]
  • emojibase@16.0.0

Changelog

Sourced from emojibase-data's changelog.

17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

Patch Changes

• Updated dependencies [806c507]
  • emojibase@17.0.0

16.0.3

Patch Changes

• 53fcdc1: Updated Chinese Traditional translations.

16.0.2

Patch Changes

• d0e4bcc: Fixed a broken publish.

16.0.1

Patch Changes

• 3faf950: Add missing files and types for vi data.

16.0.0

Major Changes

• e9b9a9a: Add vi (Vietnamese) language.
• d237386: Update to Emoji v16 and CLDR 46.
• d237386: Drop Node.js v16 support. Requires >= v18.12.

Patch Changes

• Updated dependencies [e9b9a9a]
• Updated dependencies [d237386]
• Updated dependencies [d237386]
  • emojibase@16.0.0

All notable changes to this project will be documented in this file. See Conventional Commits for commit guidelines.

Commits

• a5fc630 chore: Version packages (#194)
• 50f5455 release: Emoji v17 / CLDR 48 (#193)
• 91c1b15 fix: changed the translation into Russian (#190)
• abb21ab chore: Version packages (#188)
• 53fcdc1 internal: Regenerate data sets.
• acc7f6b chore: Version packages (#186)
• 7361f34 chore: Version packages (#185)
• 3faf950 fix: Add missing types for vi. (#184)
• 4f06163 Version Packages (#182)
• e9b9a9a new: Add vi (Vietnamese) language (#179)
• Additional commits viewable in compare view

Updates focus-trap-react from 10.3.1 to 12.0.2

Release notes

Sourced from focus-trap-react's releases.

v12.0.2

Patch Changes

• 161ec0d: Update focus-trap dependency to v8.2.1 for bug fixes and a new delayReturnFocus option

v12.0.1

Patch Changes

• 93c93e9: Update focus-trap dependency to 8.1.0 for new lifecycle hook improvements (onActivate, etc).

v12.0.0

Major Changes

• 763eae4: BREAKING: Updated focus-trap dependency to v8.0.0. The breaking change is that onPostActivate() is now correctly called after the initial focus node is focused (it was previously called before due to a bug with the initial focus delay). See the focus-trap changelog for more details.

v11.0.6

Patch Changes

• c0bd275: Bump focus-trap to 7.8.0 for new aria-hidden support in isolateSubtrees option and bug fix related to trapStack option

v11.0.5

Patch Changes

• 01712b0: Update focus-trap dependency to 7.6.6 and tabbable to 6.3.0 to get a new displayCheck option in tabbable.
• 0f8db7c: Bump tabbable to 6.4.0 and focus-trap to 7.7.1 for improved inert handling

v11.0.4

Patch Changes

• 346e41d: Bump focus-trap to v7.6.5 for shadow DOM bug fix

v11.0.3

Patch Changes

• 095b3d4: Bump focus-trap dependency to v7.6.4 to get fix to manually-paused traps (see focus-trap|1340 for more info)

v11.0.2

Patch Changes

• e766841: Fix deprecation warning in React 19 when accessing ref the pre-v19 way

v11.0.1

Patch Changes

• cd75caa: Fix missing default export in typings; props no longer extend React.AllHTMLAttributes<any> to allow things like className (those extra props have always been ignored anyway); deprecate default export; add named export in code (#1396)

v11.0.0

Major Changes

• 4a37dae: Dropping propTypes and defaultProps no longer supported by React 19 and long deprecated in React 18 (going forward, use TypeScript for prop typings, and if necessary, a runtime library to validate props); Increasing minimum supported React version up to >=18; Bumping focus-trap dependency to v7.6.2

Changelog

Sourced from focus-trap-react's changelog.

12.0.2

Patch Changes

• 161ec0d: Update focus-trap dependency to v8.2.1 for bug fixes and a new delayReturnFocus option

12.0.1

Patch Changes

• 93c93e9: Update focus-trap dependency to 8.1.0 for new lifecycle hook improvements (onActivate, etc).

12.0.0

Major Changes

• 763eae4: BREAKING: Updated focus-trap dependency to v8.0.0. The breaking change is that onPostActivate() is now correctly called after the initial focus node is focused (it was previously called before due to a bug with the initial focus delay). See the focus-trap changelog for more details.

11.0.6

Patch Changes

• c0bd275: Bump focus-trap to 7.8.0 for new aria-hidden support in isolateSubtrees option and bug fix related to trapStack option

11.0.5

Patch Changes

• 01712b0: Update focus-trap dependency to 7.6.6 and tabbable to 6.3.0 to get a new displayCheck option in tabbable.
• 0f8db7c: Bump tabbable to 6.4.0 and focus-trap to 7.7.1 for improved inert handling

11.0.4

Patch Changes

• 346e41d: Bump focus-trap to v7.6.5 for shadow DOM bug fix

11.0.3

Patch Changes

• 095b3d4: Bump focus-trap dependency to v7.6.4 to get fix to manually-paused traps (see focus-trap|1340 for more info)

11.0.2

Patch Changes

• e766841: Fix deprecation warning in React 19 when accessing ref the pre-v19 way

11.0.1

... (truncated)

Commits

• 901ba2b Version Packages (#1913)
• 161ec0d Update focus-trap to v8.2.1 (#1912)
• 24cb9fa [DEPENDABOT]: Bump systeminformation from 5.31.1 to 5.31.6 (#1911)
• c1bb8f5 [DEPENDABOT]: Bump @​typescript-eslint/eslint-plugin from 8.59.2 to 8.59.3 (#1...
• 776e742 [DEPENDABOT]: Bump jest from 30.3.0 to 30.4.2 (#1908)
• 152484e [DEPENDABOT]: Bump babel-jest from 30.3.0 to 30.4.1 (#1903)
• 8026d7e [DEPENDABOT]: Bump cypress from 15.14.2 to 15.15.0 (#1904)
• bd01612 [DEPENDABOT]: Bump eslint-plugin-cypress from 6.4.0 to 6.4.1 (#1905)
• dcc9f42 [DEPENDABOT]: Bump @​typescript-eslint/parser from 8.59.2 to 8.59.3 (#1907)
• b53fa10 [DEPENDABOT]: Bump jest-environment-jsdom from 30.3.0 to 30.4.1 (#1909)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for focus-trap-react since your current version.

Updates html-dom-parser from 5.1.8 to 7.1.0

Release notes

Sourced from html-dom-parser's releases.

v7.1.0

7.1.0 (2026-05-05)

Features

• options: add CSP support with trustedTypePolicy (#1439) (25da34e) @​remdex

v7.0.1

7.0.1 (2026-04-07)

Bug Fixes

• bundle ESM-only deps into CJS output with Rollup (#1409) (901f1b4) @​athenacfr

v7.0.0

7.0.0 (2026-03-30)

⚠ BREAKING CHANGES

• deps: bump htmlparser2 from 11.0.0 to 12.0.0

Build System

• deps: bump htmlparser2 from 11.0.0 to 12.0.0 (#1389) (9e72885)

v6.0.0

6.0.0 (2026-03-20)

⚠ BREAKING CHANGES

• client: remove exports formatAttributes and CARRIAGE_RETURN constants
• deps: bump htmlparser2 from 10.1.0 to 11.0.0
• deps: bump domhandler from 5.0.3 to 6.0.1

Code Refactoring

• client: remove exports formatAttributes and CARRIAGE_RETURN (77c2e92)

Build System

• deps: bump domhandler from 5.0.3 to 6.0.1 (24b7e31)
• deps: bump htmlparser2 from 10.1.0 to 11.0.0 (cb389eb)

Changelog

Sourced from html-dom-parser's changelog.

7.1.0 (2026-05-05)

Features

• options: add CSP support with trustedTypePolicy (#1439) (25da34e)

7.0.1 (2026-04-07)

Bug Fixes

• bundle ESM-only deps into CJS output with Rollup (#1409) (901f1b4)

7.0.0 (2026-03-30)

⚠ BREAKING CHANGES

• deps: bump htmlparser2 from 11.0.0 to 12.0.0

Build System

• deps: bump htmlparser2 from 11.0.0 to 12.0.0 (#1389) (9e72885)

6.0.0 (2026-03-20)

⚠ BREAKING CHANGES

• client: remove exports formatAttributes and CARRIAGE_RETURN constants
• deps: bump htmlparser2 from 10.1.0 to 11.0.0
• deps: bump domhandler from 5.0.3 to 6.0.1

Code Refactoring

• client: remove exports formatAttributes and CARRIAGE_RETURN (77c2e92)

Build System

• deps: bump domhandler from 5.0.3 to 6.0.1 (24b7e31)
• deps: bump htmlparser2 from 10.1.0 to 11.0.0 (cb389eb)

Commits

• 595dcd4 Merge pull request #1440 from remarkablemark/release-please--branches--master...
• 9fc7529 refactor: rename TrustedTypePolicyLike to TrustedTypePolicy
• f080446 build(package): update package-lock.json
• e9633cd build(deps-dev): bump rollup from 4.60.2 to 4.60.3 (#1442)
• 01856ad build(deps-dev): bump typescript-eslint from 8.59.1 to 8.59.2 (#1441)
• 865852e chore(master): release 7.1.0
• 25da34e feat(options): add CSP support with trustedTypePolicy (#1439)
• 0ac2022 build(deps-dev): bump jsdom from 29.1.0 to 29.1.1 (#1436)
• 937e39d build(deps-dev): bump globals from 17.5.0 to 17.6.0 (#1438)
• 661b85a build(deps-dev): bump eslint from 10.2.1 to 10.3.0 in the eslint group (#1437)
• Additional commits viewable in compare view

Updates html-react-parser from 4.2.10 to 6.1.1

Release notes

Sourced from html-react-parser's releases.

v6.1.1

6.1.1 (2026-05-16)

Bug Fixes

• normalize exported DOM element class (#2243) (fe88b54), closes #2198 @​jinhyuk9714

v6.1.0

6.1.0 (2026-05-05)

Features

• options: add CSP support with trustedTypePolicy (#2220) (0fd3aa0) @​remdex

v6.0.1

6.0.1 (2026-04-08)

Build System

• deps: bump html-dom-parser from 7.0.0 to 7.0.1 (#2189) (c1f9856)

v6.0.0

6.0.0 (2026-04-02)

⚠ BREAKING CHANGES

• deps: bump html-dom-parser from 5.1.8 to 7.0.0
• deps: bump domhandler from 5.0.3 to 6.0.1
• tsconfig: change build target from es5 to es2016

Build System

• deps: bump domhandler from 5.0.3 to 6.0.1 (#2163) (c3d3092)
• deps: bump html-dom-parser from 5.1.8 to 7.0.0 (#2177) (1ae59e6)
• tsconfig: change target from es5 to es2016 (796f4de)

v5.2.17

5.2.17 (2026-02-07)

Bug Fixes

• deps: bump html-dom-parser from 5.1.7 to 5.1.8 (#2113) (c53a612)

v5.2.16

5.2.16 (2026-02-03)

Build System

... (truncated)

Changelog

Sourced from html-react-parser's changelog.

6.1.1 (2026-05-16)

Bug Fixes

• normalize exported DOM element class (fe88b54)

6.1.0 (2026-05-05)

Features

• options: add CSP support with trustedTypePolicy (#2220) (0fd3aa0)

6.0.1 (2026-04-08)

Build System

• deps: bump html-dom-parser from 7.0.0 to 7.0.1 (#2189) (c1f9856)

6.0.0 (2026-04-02)

⚠ BREAKING CHANGES

• deps: bump html-dom-parser from 5.1.8 to 7.0.0
• deps: bump domhandler from 5.0.3 to 6.0.1
• tsconfig: change build target from es5 to es2016

Build System

• deps: bump domhandler from 5.0.3 to 6.0.1 (#2163) (c3d3092)
• deps: bump html-dom-parser from 5.1.8 to 7.0.0 (#2177) (1ae59e6)
• tsconfig: change target from es5 to es2016 (796f4de)

5.2.17 (2026-02-07)

Bug Fixes

• deps: bump html-dom-parser from 5.1.7 to 5.1.8 (#2113) (c53a612)

5.2.16 (2026-02-03)

Build System

• deps: bump html-dom-parser from 5.1.4 to 5.1.7 (#2100) (461624b)

... (truncated)

Commits

• 536dc58 Merge pull request #2244 from remarkablemark/release-please--branches--master...
• 8473ce1 build(deps-dev): bump the eslint group across 1 directory with 3 updates (#2246)
• 43827b8 Merge pull request #2245 from remarkablemark/build/package
• e060a64 build(package): save @​arethetypeswrong/cli and pin fflate to 0.8.2
• 28c6ba0 chore(master): release 6.1.1
• cfa0e0e Merge pull request #2243 from jinhyuk9714/fix-element-instanceof-regression
• fe88b54 fix: normalize exported DOM element class
• f7e66d8 ci(github): delete .github/workflows/assign-reviewer.yml
• 1cc821a build(deps-dev): bump rollup from 4.60.3 to 4.60.4 (#2242)
• c267049 build(deps-dev): bump @​types/node from 25.7.0 to 25.8.0 (#2241)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for html-react-parser since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates i18next from 25.8.17 to 26.2.0

Release notes

Sourced from i18next's releases.

v26.2.0

• feat(types): new parseInterpolation TypeOption (default true). When set to false in CustomTypeOptions, the type-level extractor stops parsing translation strings for {{variable}} patterns. Required by i18next-icu users — the default extractor mistakes ICU MessageFormat nested-brace plurals like {count, plural, one {{count} row} other {{count} rows}} for an interpolation block and demands a phantom variable name. The flag is type-only; runtime interpolation is governed by InterpolationOptions and is unaffected. Fixes i18next-icu#85.
• fix(types): expose enableSelector on InitOptions so i18next.init({ enableSelector: 'strict' }) typechecks without a module augmentation. The runtime already reads opts?.enableSelector from init options; this lands the matching type declaration next to the other selector-resolution knobs. Accepts false | true | 'optimize' | 'strict'. Thanks @​Faithfinder (#2431)

v26.1.0

• feat: enableSelector: 'strict' (TypeOptions + runtime option). Opt-in mode that drops the flattened-primary form from NsResource at the type level — every namespace (primary included) is exposed only under its own key on $, uniformly across single- and multi-ns hooks. At runtime, a leading selector path segment matching the scope's namespace list is always rewritten as a namespace prefix, including the primary. Eliminates the silent-miss surface area where t($ => $.primary.foo) typechecks but doesn't resolve under the default mode (see #2429). Backward-compatible: default enableSelector: false | true | 'optimize' behavior is unchanged. Note: strict mode is incompatible with the #2405 pattern (keys whose names match sibling namespaces) — those users should stay on default mode.

v26.0.10

• feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

v26.0.9

• fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

v26.0.8

• fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

v26.0.7

• fix: when a plural lookup misses, the missingKey debug log now shows the actual plural-resolved key (e.g. foo.bar_many for Polish count: 14) instead of the base key — making it obvious which plural category was expected and missing 2423
• chore: drop @babel/runtime runtime dependency. The build no longer generates any @babel/runtime imports, so the package is unused by consumers. Rollup now uses babelHelpers: 'bundled' so any helpers that are ever needed in the future will be inlined rather than imported externally 2424
• chore: stop emitting dist/esm/i18next.bundled.js. It was byte-identical to dist/esm/i18next.js because no helpers were being imported 2424

v26.0.6

Security release — all issues found via an internal audit. GHSA advisory filed after release.

• security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security docs for mitigation guidance (GHSA-TBD)
• security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
• security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)
• chore: ignore .env* and *.pem/*.key files in .gitignore

v26.0.5

• fix: cloneInstance().changeLanguage() no longer fails to update language state when the target language is not yet loaded — a race between init()'s deferred load() and the user's changeLanguage() could overwrite isLanguageChangingTo, causing setLngProps to be skipped 2422

v26.0.4

• fix(types): inline formatting options like {{price, currency(EUR)}} are now correctly resolved to their base format type (e.g. number for currency) instead of falling back to string 2378

v26.0.3

• fix(types): addResourceBundle now accepts an optional 6th options parameter ({ silent?: boolean; skipCopy?: boolean }) matching the runtime API 2419

v26.0.2

• fix(types): t("key", {} as TOptions) no longer produces a type error — the context constraint now bypasses strict checking when context is unknown (e.g. from TOptions) 2418

v26.0.1

• fix: Formatter no longer crashes when alwaysFormat is true and no format specifier is present (format is undefined)
• fix: Formatter now returns undefined/null values as-is instead of producing NaN when the value is missing

v26.0.0

This is a major breaking release:

Breaking Changes

... (truncated)

Changelog

Sourced from i18next's changelog.

26.2.0

• feat(types): new parseInterpolation TypeOption (default true). When set to false in CustomTypeOptions, the type-level extractor stops parsing translation strings for {{variable}} patterns. Required by i18next-icu users — the default extractor mistakes ICU MessageFormat nested-brace plurals like {count, plural, one {{count} row} other {{count} rows}} for an interpolation block and demands a phantom variable name. The flag is type-only; runtime interpolation is governed by InterpolationOptions and is unaffected. Fixes i18next-icu#85.
• fix(types): expose enableSelector on InitOptions so i18next.init({ enableSelector: 'strict' }) typechecks without a module augmentation. The runtime already reads opts?.enableSelector from init options; this lands the matching type declaration next to the other selector-resolution knobs. Accepts false | true | 'optimize' | 'strict'. Thanks @​Faithfinder (#2431)

26.1.0

• feat: enableSelector: 'strict' (TypeOptions + runtime option). Opt-in mode that drops the flattened-primary form from NsResource at the type level — every namespace (primary included) is exposed only under its own key on $, uniformly across single- and multi-ns hooks. At runtime, a leading selector path segment matching the scope's namespace list is always rewritten as a namespace prefix, including the primary. Eliminates the silent-miss surface area where t($ => $.primary.foo) typechecks but doesn't resolve under the default mode (see #2429). Backward-compatible: default enableSelector: false | true | 'optimize' behavior is unchanged. Note: strict mode is incompatible with the #2405 pattern (keys whose names match sibling namespaces) — those users should stay on default mode.

26.0.10

• feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

26.0.9

• fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

26.0.8

• fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

26.0.7

• fix: when a plural lookup misses, the missingKey debug log now shows the actual plural-resolved key (e.g. foo.bar_many for Polish count: 14) instead of the base key — making it obvious which plural category was expected and missing 2423
• chore: drop @babel/runtime runtime dependency. The build no longer generates any @babel/runtime imports, so the package is unused by consumers. Rollup now uses babelHelpers: 'bundled' so any helpers that are ever needed in the future will be inlined rather than imported externally 2424
• chore: stop emitting dist/esm/i18next.bundled.js. It was byte-identical to dist/esm/i18next.js because no helpers were being imported 2424

26.0.6

Security release — all issues found via an internal audit.

• security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security note in the Nesting docs for the full pattern and mitigations
• security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
• security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)
• chore: ignore .env* and *.pem/*.key files in .gitignore

26.0.5

• fix: cloneInstance().changeLanguage() no longer fails to update language state when the target language is not yet loaded — a race between init()'s deferred load() and the user's changeLanguage() could overwrite isLanguageChangingTo, causing setLngProps to be skipped 2422

26.0.4

• fix(types): inline formatting options like {{price, currency(EUR)}} are now correctly resolved to their base format type (e.g. number for currency) instead of falling back to string 2378

26.0.3

• fix(types): addResourceBundle now accepts an optional 6th options parameter ({ silent?: boolean; skipCopy?: boolean }) matching the runtime API 2419

26.0.2

... (truncated)

Commits

• 22fb6ad 26.2.0
• b640ac4 feat(types): parseInterpolation flag for ICU-friendly t() typing (i18next-icu...
• 0b9debd changelog: 26.1.1 entry for #2431
• 50509e4 fix(types): expose enableSelector on InitOptions (#2431)
• 80b5402 Enhance Pro Tip in README with i18next-locize-backend plugin link
• 5af0475 26.1.0
• 85c0951 feat: enableSelector: 'strict' — explicit-ns selector mode, no flattened prim...
• 8fec684 docs(types): clarify ExistsFunction note re: narrowing through wrappers
• 61eaf5b 26.0.10
• 47fd92f feat: getFixedT 4th-arg scopeNs decouples selector ns-detection from resoluti...
• Additional commits viewable in compare view

Updates i18next-http-backend from 2.7.3 to 4.0.0

Changelog

Sourced from i18next-http-backend's changelog.

4.0.0

• BREAKING: drop cross-fetch dependency. i18next-http-backend now requires a host-provided fetch. This is available in Node ≥ 18 (stable since Node 21), all modern browsers, Deno, and Bun. For runtimes without native fetch, install a ponyfill yourself and inject it via options.alternateFetch, or stay on v3.x.
• BREAKING: minimum Node version is now 18 (engines.node = ">=18").
• chore: simplified environment detection in lib/request.js — uses globalThis (with global / window fallbacks for legacy embedded runtimes) instead of separate global.* / window.* branches per API. XHR / ActiveXObject are still picked up if the host provides them, but no longer polyfilled.
• chore: declared "sideEffects": false for better tree-shaking by downstream bundlers.
• build: replaced babel + browserify + uglify-js with tsdown (rolldown + oxc). One config produces ESM, CJS, and the IIFE browser bundles. Drops @babel/cliDescription has been truncated