chore: bump the npm-major group across 1 directory with 27 updates

[dependabot]

Bumps the npm-major group with 27 updates in the / directory:

Package	From	To
@atlaskit/pragmatic-drag-and-drop-auto-scroll	1.4.0	2.1.5
domhandler	5.0.3	6.0.1
emojibase	15.3.1	17.0.0
emojibase-data	15.3.2	17.0.0
focus-trap-react	10.3.1	12.0.2
html-dom-parser	5.1.8	8.0.0
html-react-parser	4.2.10	6.1.3
i18next	25.8.17	26.3.0
i18next-http-backend	2.7.3	4.0.0
immer	9.0.21	11.1.8
matrix-js-sdk	38.4.0	41.6.0
pdfjs-dist	5.5.207	6.0.227
react	18.3.1	19.2.6
@types/react	18.3.28	19.2.15
react-dom	18.3.1	19.2.6
@types/react-dom	18.3.7	19.2.3
react-google-recaptcha	2.1.0	3.1.0
react-i18next	16.5.7	17.0.8
react-router-dom	6.30.3	7.16.0
ua-parser-js	1.0.41	2.0.10
@types/node	24.10.13	25.9.1
@vitejs/plugin-react	5.1.4	6.0.2
knip	5.85.0	6.15.0
typescript	5.9.3	6.0.3
vite	7.3.1	8.0.14
vite-plugin-static-copy	3.2.0	4.1.0
vite-plugin-svgr	4.5.0	5.2.0

Updates @atlaskit/pragmatic-drag-and-drop-auto-scroll from 1.4.0 to 2.1.5

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by atlassianartifactteam, a new releaser for @​atlaskit/pragmatic-drag-and-drop-auto-scroll since your current version.

Updates domhandler from 5.0.3 to 6.0.1

Release notes

Sourced from domhandler's releases.

v6.0.1

What's Changed

• add JSR import map for domelementtype

Full Changelog: fb55/domhandler@v6.0.0...v6.0.1

v6.0.0

What's Changed

BREAKING: domhandler is now ESM-only fb55/domhandler#1867

Full Changelog: fb55/domhandler@v5.0.3...v6.0.0

Commits

• 8f66071 6.0.1
• 39183cd ci: add JSR import map for domelementtype
• a54417e build(deps-dev): Bump @​feedic/eslint-config from 0.2.3 to 0.3.1 (#1865)
• 1346b9c 6.0.0
• 4a790c7 refactor!: ESM-only (#1867)
• 39f39e9 build(deps-dev): Bump typescript-eslint from 8.57.0 to 8.57.1 (#1866)
• 5a45546 build(deps-dev): Bump @​eslint/compat from 2.0.2 to 2.0.3 (#1864)
• 76be7b1 build(deps-dev): Bump typescript-eslint from 8.56.1 to 8.57.0 (#1863)
• 07eb031 build(deps-dev): Bump @​biomejs/biome from 2.4.6 to 2.4.7 (#1862)
• 5d68735 chore: Remove Tidelift funding information (#1861)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for domhandler since your current version.

Updates emojibase from 15.3.1 to 17.0.0

Release notes

Sourced from emojibase's releases.

emojibase-data@17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

Patch Changes

• Updated dependencies [806c507]
  • emojibase@17.0.0

emojibase-regex@17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

emojibase-test-utils@17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

Patch Changes

• Updated dependencies [806c507]
  • emojibase@17.0.0

emojibase@17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

emojibase-data@16.0.3

Patch Changes

• 53fcdc1: Updated Chinese Traditional translations.

emojibase-data@16.0.2

Patch Changes

• d0e4bcc: Fixed a broken publish.

emojibase-data@16.0.1

Patch Changes

• 3faf950: Add missing files and types for vi data.

emojibase-data@16.0.0

Major Changes

• e9b9a9a: Add vi (Vietnamese) language.
• d237386: Update to Emoji v16 and CLDR 46.

... (truncated)

Changelog

Sourced from emojibase's changelog.

17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

16.0.0

Major Changes

• e9b9a9a: Add vi (Vietnamese) language.
• d237386: Update to Emoji v16 and CLDR 46.
• d237386: Drop Node.js v16 support. Requires >= v18.12.

All notable changes to this project will be documented in this file. See Conventional Commits for commit guidelines.

Commits

• a5fc630 chore: Version packages (#194)
• 50f5455 release: Emoji v17 / CLDR 48 (#193)
• 4f06163 Version Packages (#182)
• e9b9a9a new: Add vi (Vietnamese) language (#179)
• 04b7926 release: Update to Emoji v16 and CLDR 46. (#180)
• 8af1353 breaking: Drop Node.js v16 support. Requires >= v18.12. (#172)
• See full diff in compare view

Updates emojibase-data from 15.3.2 to 17.0.0

Release notes

Sourced from emojibase-data's releases.

emojibase-data@17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

Patch Changes

• Updated dependencies [806c507]
  • emojibase@17.0.0

emojibase-data@16.0.3

Patch Changes

• 53fcdc1: Updated Chinese Traditional translations.

emojibase-data@16.0.2

Patch Changes

• d0e4bcc: Fixed a broken publish.

emojibase-data@16.0.1

Patch Changes

• 3faf950: Add missing files and types for vi data.

emojibase-data@16.0.0

Major Changes

• e9b9a9a: Add vi (Vietnamese) language.
• d237386: Update to Emoji v16 and CLDR 46.
• d237386: Drop Node.js v16 support. Requires >= v18.12.

Patch Changes

• Updated dependencies [e9b9a9a]
• Updated dependencies [d237386]
• Updated dependencies [d237386]
  • emojibase@16.0.0

Changelog

Sourced from emojibase-data's changelog.

17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

Patch Changes

• Updated dependencies [806c507]
  • emojibase@17.0.0

16.0.3

Patch Changes

• 53fcdc1: Updated Chinese Traditional translations.

16.0.2

Patch Changes

• d0e4bcc: Fixed a broken publish.

16.0.1

Patch Changes

• 3faf950: Add missing files and types for vi data.

16.0.0

Major Changes

• e9b9a9a: Add vi (Vietnamese) language.
• d237386: Update to Emoji v16 and CLDR 46.
• d237386: Drop Node.js v16 support. Requires >= v18.12.

Patch Changes

• Updated dependencies [e9b9a9a]
• Updated dependencies [d237386]
• Updated dependencies [d237386]
  • emojibase@16.0.0

All notable changes to this project will be documented in this file. See Conventional Commits for commit guidelines.

Commits

• a5fc630 chore: Version packages (#194)
• 50f5455 release: Emoji v17 / CLDR 48 (#193)
• 91c1b15 fix: changed the translation into Russian (#190)
• abb21ab chore: Version packages (#188)
• 53fcdc1 internal: Regenerate data sets.
• acc7f6b chore: Version packages (#186)
• 7361f34 chore: Version packages (#185)
• 3faf950 fix: Add missing types for vi. (#184)
• 4f06163 Version Packages (#182)
• e9b9a9a new: Add vi (Vietnamese) language (#179)
• Additional commits viewable in compare view

Updates focus-trap-react from 10.3.1 to 12.0.2

Release notes

Sourced from focus-trap-react's releases.

v12.0.2

Patch Changes

• 161ec0d: Update focus-trap dependency to v8.2.1 for bug fixes and a new delayReturnFocus option

v12.0.1

Patch Changes

• 93c93e9: Update focus-trap dependency to 8.1.0 for new lifecycle hook improvements (onActivate, etc).

v12.0.0

Major Changes

• 763eae4: BREAKING: Updated focus-trap dependency to v8.0.0. The breaking change is that onPostActivate() is now correctly called after the initial focus node is focused (it was previously called before due to a bug with the initial focus delay). See the focus-trap changelog for more details.

v11.0.6

Patch Changes

• c0bd275: Bump focus-trap to 7.8.0 for new aria-hidden support in isolateSubtrees option and bug fix related to trapStack option

v11.0.5

Patch Changes

• 01712b0: Update focus-trap dependency to 7.6.6 and tabbable to 6.3.0 to get a new displayCheck option in tabbable.
• 0f8db7c: Bump tabbable to 6.4.0 and focus-trap to 7.7.1 for improved inert handling

v11.0.4

Patch Changes

• 346e41d: Bump focus-trap to v7.6.5 for shadow DOM bug fix

v11.0.3

Patch Changes

• 095b3d4: Bump focus-trap dependency to v7.6.4 to get fix to manually-paused traps (see focus-trap|1340 for more info)

v11.0.2

Patch Changes

• e766841: Fix deprecation warning in React 19 when accessing ref the pre-v19 way

v11.0.1

Patch Changes

• cd75caa: Fix missing default export in typings; props no longer extend React.AllHTMLAttributes<any> to allow things like className (those extra props have always been ignored anyway); deprecate default export; add named export in code (#1396)

v11.0.0

Major Changes

• 4a37dae: Dropping propTypes and defaultProps no longer supported by React 19 and long deprecated in React 18 (going forward, use TypeScript for prop typings, and if necessary, a runtime library to validate props); Increasing minimum supported React version up to >=18; Bumping focus-trap dependency to v7.6.2

Changelog

Sourced from focus-trap-react's changelog.

12.0.2

Patch Changes

• 161ec0d: Update focus-trap dependency to v8.2.1 for bug fixes and a new delayReturnFocus option

12.0.1

Patch Changes

• 93c93e9: Update focus-trap dependency to 8.1.0 for new lifecycle hook improvements (onActivate, etc).

12.0.0

Major Changes

• 763eae4: BREAKING: Updated focus-trap dependency to v8.0.0. The breaking change is that onPostActivate() is now correctly called after the initial focus node is focused (it was previously called before due to a bug with the initial focus delay). See the focus-trap changelog for more details.

11.0.6

Patch Changes

• c0bd275: Bump focus-trap to 7.8.0 for new aria-hidden support in isolateSubtrees option and bug fix related to trapStack option

11.0.5

Patch Changes

• 01712b0: Update focus-trap dependency to 7.6.6 and tabbable to 6.3.0 to get a new displayCheck option in tabbable.
• 0f8db7c: Bump tabbable to 6.4.0 and focus-trap to 7.7.1 for improved inert handling

11.0.4

Patch Changes

• 346e41d: Bump focus-trap to v7.6.5 for shadow DOM bug fix

11.0.3

Patch Changes

• 095b3d4: Bump focus-trap dependency to v7.6.4 to get fix to manually-paused traps (see focus-trap|1340 for more info)

11.0.2

Patch Changes

• e766841: Fix deprecation warning in React 19 when accessing ref the pre-v19 way

11.0.1

... (truncated)

Commits

• 901ba2b Version Packages (#1913)
• 161ec0d Update focus-trap to v8.2.1 (#1912)
• 24cb9fa [DEPENDABOT]: Bump systeminformation from 5.31.1 to 5.31.6 (#1911)
• c1bb8f5 [DEPENDABOT]: Bump @​typescript-eslint/eslint-plugin from 8.59.2 to 8.59.3 (#1...
• 776e742 [DEPENDABOT]: Bump jest from 30.3.0 to 30.4.2 (#1908)
• 152484e [DEPENDABOT]: Bump babel-jest from 30.3.0 to 30.4.1 (#1903)
• 8026d7e [DEPENDABOT]: Bump cypress from 15.14.2 to 15.15.0 (#1904)
• bd01612 [DEPENDABOT]: Bump eslint-plugin-cypress from 6.4.0 to 6.4.1 (#1905)
• dcc9f42 [DEPENDABOT]: Bump @​typescript-eslint/parser from 8.59.2 to 8.59.3 (#1907)
• b53fa10 [DEPENDABOT]: Bump jest-environment-jsdom from 30.3.0 to 30.4.1 (#1909)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for focus-trap-react since your current version.

Updates html-dom-parser from 5.1.8 to 8.0.0

Release notes

Sourced from html-dom-parser's releases.

v8.0.0

8.0.0 (2026-05-25)

⚠ BREAKING CHANGES

• tsconfig: build output now targets ES6 instead of ES5

Build System

• tsconfig: change target from es5 to es6 (d765720)

v7.1.0

7.1.0 (2026-05-05)

Features

• options: add CSP support with trustedTypePolicy (#1439) (25da34e) @​remdex

v7.0.1

7.0.1 (2026-04-07)

Bug Fixes

• bundle ESM-only deps into CJS output with Rollup (#1409) (901f1b4) @​athenacfr

v7.0.0

7.0.0 (2026-03-30)

⚠ BREAKING CHANGES

• deps: bump htmlparser2 from 11.0.0 to 12.0.0

Build System

• deps: bump htmlparser2 from 11.0.0 to 12.0.0 (#1389) (9e72885)

v6.0.0

6.0.0 (2026-03-20)

⚠ BREAKING CHANGES

• client: remove exports formatAttributes and CARRIAGE_RETURN constants
• deps: bump htmlparser2 from 10.1.0 to 11.0.0
• deps: bump domhandler from 5.0.3 to 6.0.1

Code Refactoring

• client: remove exports formatAttributes and CARRIAGE_RETURN (77c2e92)

... (truncated)

Changelog

Sourced from html-dom-parser's changelog.

8.0.0 (2026-05-25)

⚠ BREAKING CHANGES

• tsconfig: build output now targets ES6 instead of ES5

Build System

• tsconfig: change target from es5 to es6 (d765720)

7.1.0 (2026-05-05)

Features

• options: add CSP support with trustedTypePolicy (#1439) (25da34e)

7.0.1 (2026-04-07)

Bug Fixes

• bundle ESM-only deps into CJS output with Rollup (#1409) (901f1b4)

7.0.0 (2026-03-30)

⚠ BREAKING CHANGES

• deps: bump htmlparser2 from 11.0.0 to 12.0.0

Build System

• deps: bump htmlparser2 from 11.0.0 to 12.0.0 (#1389) (9e72885)

6.0.0 (2026-03-20)

⚠ BREAKING CHANGES

• client: remove exports formatAttributes and CARRIAGE_RETURN constants
• deps: bump htmlparser2 from 10.1.0 to 11.0.0
• deps: bump domhandler from 5.0.3 to 6.0.1

Code Refactoring

• client: remove exports formatAttributes and CARRIAGE_RETURN (77c2e92)

Build System

• deps: bump domhandler from 5.0.3 to 6.0.1 (24b7e31)
• deps: bump htmlparser2 from 10.1.0 to 11.0.0 (cb389eb)

Commits

• 4baa13b Merge pull request #1467 from remarkablemark/release-please--branches--master...
• 91dccb7 docs(readme): document migration v8
• f2e3b85 Merge pull request #1469 from remarkablemark/build/tsdown
• ed823cb build(tsdown): remove dist/htmlparser2.js from the build
• 1436de4 build(tsdown): migrate from rollup to tsdown
• 3a3929c chore(tsconfig): add tsBuildInfoFile
• aae051c build(deps-dev): bump typescript from 5.9.3 to 6.0.3 (#1424)
• bc0f3a6 build(deps-dev): bump npm-run-all2 from 9.0.0 to 9.0.1 (#1468)
• e28f416 chore(husky): run script lint:tsc in pre-commit hook
• 058459c chore(tsconfig): set rootDir in tsconfig.test.json
• Additional commits viewable in compare view

Updates html-react-parser from 4.2.10 to 6.1.3

Release notes

Sourced from html-react-parser's releases.

v6.1.3

6.1.3 (2026-05-31)

Build System

• deps: bump html-dom-parser from 7.1.0 to 8.0.0 (#2261) (6cec8ca)

v6.1.2

6.1.2 (2026-05-22)

Build System

• deps: bump style-to-js from 1.1.21 to 2.0.0 (#2257) (c55e094)

v6.1.1

6.1.1 (2026-05-16)

Bug Fixes

• normalize exported DOM element class (#2243) (fe88b54), closes #2198 @​jinhyuk9714

v6.1.0

6.1.0 (2026-05-05)

Features

• options: add CSP support with trustedTypePolicy (#2220) (0fd3aa0) @​remdex

v6.0.1

6.0.1 (2026-04-08)

Build System

• deps: bump html-dom-parser from 7.0.0 to 7.0.1 (#2189) (c1f9856)

v6.0.0

6.0.0 (2026-04-02)

⚠ BREAKING CHANGES

• deps: bump html-dom-parser from 5.1.8 to 7.0.0
• deps: bump domhandler from 5.0.3 to 6.0.1
• tsconfig: change build target from es5 to es2016

Build System

• deps: bump domhandler from 5.0.3 to 6.0.1 (#2163) (c3d3092)

... (truncated)

Changelog

Sourced from html-react-parser's changelog.

6.1.3 (2026-05-31)

Build System

• deps: bump html-dom-parser from 7.1.0 to 8.0.0 (#2261) (6cec8ca)

6.1.2 (2026-05-22)

Build System

• deps: bump style-to-js from 1.1.21 to 2.0.0 (#2257) (c55e094)

6.1.1 (2026-05-16)

Bug Fixes

• normalize exported DOM element class (fe88b54)

6.1.0 (2026-05-05)

Features

• options: add CSP support with trustedTypePolicy (#2220) (0fd3aa0)

6.0.1 (2026-04-08)

Build System

• deps: bump html-dom-parser from 7.0.0 to 7.0.1 (#2189) (c1f9856)

6.0.0 (2026-04-02)

⚠ BREAKING CHANGES

• deps: bump html-dom-parser from 5.1.8 to 7.0.0
• deps: bump domhandler from 5.0.3 to 6.0.1
• tsconfig: change build target from es5 to es2016

Build System

• deps: bump domhandler from 5.0.3 to 6.0.1 (#2163) (c3d3092)
• deps: bump html-dom-parser from 5.1.8 to 7.0.0 (#2177) (1ae59e6)
• tsconfig: change target from es5 to es2016 (796f4de)

... (truncated)

Commits

• c7df5c3 Merge pull request #2267 from remarkablemark/release-please--branches--master...
• 519e59a chore(master): release 6.1.3
• 6cec8ca build(deps): bump html-dom-parser from 7.1.0 to 8.0.0 (#2261)
• eae73e6 build(deps-dev): bump eslint in the eslint group across 1 directory (#2264)
• 0681c1e build(deps-dev): bump lint-staged from 17.0.5 to 17.0.7 (#2266)
• 02bbd2d build(deps-dev): bump @​arethetypeswrong/cli from 0.18.2 to 0.18.3 (#2265)
• e650321 build(deps-dev): bump the commitlint group with 2 updates (#2263)
• 7309166 build(deps-dev): bump eslint-plugin-prettier in the eslint group (#2262)
• 668b359 build(deps-dev): bump typescript-eslint in the eslint group (#2260)
• 034837e Merge pull request #2259 from remarkablemark/dependabot/github_actions/github...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for html-react-parser since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates i18next from 25.8.17 to 26.3.0

Release notes

Sourced from i18next's releases.

v26.3.0

• feat(types): introduce ResourceNamespaceMap — a separate mergeable augmentation surface for namespace resource types, designed for monorepos where multiple packages each want to contribute their own namespaces. Previously, every package had to coordinate on a single CustomTypeOptions.resources declaration (or fall back to typing dependency namespaces as any) because resources is a single property of an interface and TypeScript reports TS2717 when two declarations of the same property disagree. The new interface merges naturally across declare module 'i18next' blocks, so each package can ship its own i18next.d.ts independently. Per-property merge handles same-namespace contributions from multiple packages, and same-key/different-literal conflicts are silently dropped to avoid poisoning t() overload resolution. Fully backwards-compatible — existing CustomTypeOptions.resources augmentations continue to work, and both surfaces can coexist. Scalar options (defaultNS, returnNull, enableSelector, etc.) still belong on CustomTypeOptions. Thanks @​sh3xu (#2434). Fixes #2409.

v26.2.0

• feat(types): new parseInterpolation TypeOption (default true). When set to false in CustomTypeOptions, the type-level extractor stops parsing translation strings for {{variable}} patterns. Required by i18next-icu users — the default extractor mistakes ICU MessageFormat nested-brace plurals like {count, plural, one {{count} row} other {{count} rows}} for an interpolation block and demands a phantom variable name. The flag is type-only; runtime interpolation is governed by InterpolationOptions and is unaffected. Fixes i18next-icu#85.
• fix(types): expose enableSelector on InitOptions so i18next.init({ enableSelector: 'strict' }) typechecks without a module augmentation. The runtime already reads opts?.enableSelector from init options; this lands the matching type declaration next to the other selector-resolution knobs. Accepts false | true | 'optimize' | 'strict'. Thanks @​Faithfinder (#2431)

v26.1.0

• feat: enableSelector: 'strict' (TypeOptions + runtime option). Opt-in mode that drops the flattened-primary form from NsResource at the type level — every namespace (primary included) is exposed only under its own key on $, uniformly across single- and multi-ns hooks. At runtime, a leading selector path segment matching the scope's namespace list is always rewritten as a namespace prefix, including the primary. Eliminates the silent-miss surface area where t($ => $.primary.foo) typechecks but doesn't resolve under the default mode (see #2429). Backward-compatible: default enableSelector: false | true | 'optimize' behavior is unchanged. Note: strict mode is incompatible with the #2405 pattern (keys whose names match sibling namespaces) — those users should stay on default mode.

v26.0.10

• feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

v26.0.9

• fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

v26.0.8

• fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

v26.0.7

• fix: when a plural lookup misses, the missingKey debug log now shows the actual plural-resolved key (e.g. foo.bar_many for Polish count: 14) instead of the base key — making it obvious which plural category was expected and missing 2423
• chore: drop @babel/runtime runtime dependency. The build no longer generates any @babel/runtime imports, so the package is unused by consumers. Rollup now uses babelHelpers: 'bundled' so any helpers that are ever needed in the future will be inlined rather than imported externally 2424
• chore: stop emitting dist/esm/i18next.bundled.js. It was byte-identical to dist/esm/i18next.js because no helpers were being imported 2424

v26.0.6

Security release — all issues found via an internal audit. GHSA advisory filed after release.

• security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security docs for mitigation guidance (GHSA-TBD)
• security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
• security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)
• chore: ignore .env* and *.pem/*.key files in .gitignore

v26.0.5

• fix: cloneInstance().changeLanguage() no longer fails to update language state when the target language is not yet loaded — a race between init()'s deferred load() and the user's changeLanguage() could overwrite isLanguageChangingTo, causing setLngProps to be skipped 2422

v26.0.4

• fix(types): inline formatting options like {{price, currency(EUR)}} are now correctly resolved to their base format type (e.g. number for currency) instead of falling back to string 2378

v26.0.3

• fix(types): addResourceBundle now accepts an optional 6th options parameter ({ silent?: boolean; skipCopy?: boolean }) matching the runtime API 2419

v26.0.2

• fix(types): t("key", {} as TOptions) no longer produces a type error — the context constraint now bypasses strict checking when context is unknown (e.g. from TOptions) 2418

v26.0.1

• fix: Formatter no longer crashes when alwaysFormat is true and no format specifier is present (format is undefined)
• fix: Formatter now returns undefined/null values as-is instead of producing NaN when the value is missing

v26.0.0

This is a major breaking release:

... (truncated)

Changelog

Sourced from i18next's changelog.

26.3.0

• feat(types): introduce ResourceNamespaceMap — a separate mergeable augmentation surface for namespace resource types, designed for monorepos where multiple packages each want to contribute their own namespaces. Previously, every package had to coordinate on a single CustomTypeOptions.resources declaration (or fall back to typing dependency namespaces as any) because resources is a single property of an interface and TypeScript reports TS2717 when two declarations of the same property disagree. The new interface merges naturally across declare module 'i18next' blocks, so each package can ship its own i18next.d.ts independently. Per-property merge handles same-namespace contributions from multiple packages, and same-key/different-literal conflicts are silently dropped to avoid poisoning t() overload resolution. Fully backwards-compatible — existing CustomTypeOptions.resources augmentations continue to work, and both surfaces can coexist. Scalar options (defaultNS, returnNull, enableSelector, etc.) still belong on CustomTypeOptions. Thanks @​sh3xu (#2434). Fixes #2409.

26.2.0

• feat(types): new parseInterpolation TypeOption (default true). When set to false in CustomTypeOptions, the type-level extractor stops parsing translation strings for {{variable}} patterns. Required by i18next-icu users — the default extractor mistakes ICU MessageFormat nested-brace plurals like {count, plural, one {{count} row} other {{count} rows}} for an interpolation block and demands a phantom variable name. The flag is type-only; runtime interpolation is governed by InterpolationOptions and is unaffected. Fixes i18next-icu#85.
• fix(types): expose enableSelector on InitOptions so i18next.init({ enableSelector: 'strict' }) typechecks without a module augmentation. The runtime already reads opts?.enableSelector from init options; this lands the matching type declaration next to the other selector-resolution knobs. Accepts false | true | 'optimize' | 'strict'. Thanks @​Faithfinder (#2431)

26.1.0

• feat: enableSelector: 'strict' (TypeOptions + runtime option). Opt-in mode that drops the flattened-primary form from NsResource at the type level — every namespace (primary included) is exposed only under its own key on $, uniformly across single- and multi-ns hooks. At runtime, a leading selector path segment matching the scope's namespace list is always rewritten as a namespace prefix, including the primary. Eliminates the silent-miss surface area where t($ => $.primary.foo) typechecks but doesn't resolve under the default mode (see #2429). Backward-compatible: default enableSelector: false | true | 'optimize' behavior is unchanged. Note: strict mode is incompatible with the #2405 pattern (keys whose names match sibling namespaces) — those users should stay on default mode.

26.0.10

• feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

26.0.9

• fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

26.0.8

• fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

26.0.7

• fix: when a plural lookup misses, the missingKey debug log now shows the actual plural-resolved key (e.g. foo.bar_many for Polish count: 14) instead of the base key — making it obvious which plural category was expected and missing 2423
• chore: drop @babel/runtime runtime dependency. The build no longer generates any @babel/runtime imports, so the package is unused by consumers. Rollup now uses babelHelpers: 'bundled' so any helpers that are ever needed in the future will be inlined rather than imported externally 2424
• chore: stop emitting dist/esm/i18next.bundled.js. It was byte-identical to dist/esm/i18next.js because no helpers were being imported 2424

26.0.6

Security release — all issues found via an internal audit.

• security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security note in the Nesting docs for the full pattern and mitigations
• security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
• security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)
• chore: ignore .env* and *.pem/*.key files in .gitignore

26.0.5

• fix: cloneInstance().changeLanguage() no longer fails to update language state when the target language is not yet loaded — a race between init()'s deferred load() and the user's changeLanguage() could overwrite isLanguageChangingTo, causing setLngProps to be skipped 2422

26.0.4

• fix(types): inline formatting options like {{price, currency(EUR)}} are now correctly resolved to their base format type (e.g. number for currency) instead of falling back to string 2378

26.0.3

... (truncated)

Commits

• bdf651c 26.3.0
• 988a362 changelog: 26.3.0 entry for #2434