chore: bump the npm-major group across 1 directory with 27 updates

[dependabot]

Bumps the npm-major group with 24 updates in the / directory:

Package	From	To
@atlaskit/pragmatic-drag-and-drop-auto-scroll	1.4.0	2.1.5
domhandler	5.0.3	6.0.1
emojibase	15.3.1	17.0.0
emojibase-data	15.3.2	17.0.0
focus-trap-react	10.3.1	12.0.1
html-dom-parser	5.1.8	7.1.0
html-react-parser	4.2.10	6.1.0
i18next	25.8.17	26.1.0
immer	9.0.21	11.1.8
matrix-js-sdk	38.4.0	41.4.0
react	18.3.1	19.2.6
@types/react	18.3.28	19.2.14
react-dom	18.3.1	19.2.6
@types/react-dom	18.3.7	19.2.3
react-google-recaptcha	2.1.0	3.1.0
react-i18next	16.5.7	17.0.7
react-router-dom	6.30.3	7.15.0
ua-parser-js	1.0.41	2.0.9
@types/node	24.10.13	25.7.0
@vitejs/plugin-react	5.1.4	6.0.1
knip	5.85.0	6.13.0
typescript	5.9.3	6.0.3
vite-plugin-static-copy	3.2.0	4.1.0
vite-plugin-svgr	4.5.0	5.2.0

Updates @atlaskit/pragmatic-drag-and-drop-auto-scroll from 1.4.0 to 2.1.5

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by atlassianartifactteam, a new releaser for @​atlaskit/pragmatic-drag-and-drop-auto-scroll since your current version.

Updates domhandler from 5.0.3 to 6.0.1

Release notes

Sourced from domhandler's releases.

v6.0.1

What's Changed

• add JSR import map for domelementtype

Full Changelog: fb55/domhandler@v6.0.0...v6.0.1

v6.0.0

What's Changed

BREAKING: domhandler is now ESM-only fb55/domhandler#1867

Full Changelog: fb55/domhandler@v5.0.3...v6.0.0

Commits

• 8f66071 6.0.1
• 39183cd ci: add JSR import map for domelementtype
• a54417e build(deps-dev): Bump @​feedic/eslint-config from 0.2.3 to 0.3.1 (#1865)
• 1346b9c 6.0.0
• 4a790c7 refactor!: ESM-only (#1867)
• 39f39e9 build(deps-dev): Bump typescript-eslint from 8.57.0 to 8.57.1 (#1866)
• 5a45546 build(deps-dev): Bump @​eslint/compat from 2.0.2 to 2.0.3 (#1864)
• 76be7b1 build(deps-dev): Bump typescript-eslint from 8.56.1 to 8.57.0 (#1863)
• 07eb031 build(deps-dev): Bump @​biomejs/biome from 2.4.6 to 2.4.7 (#1862)
• 5d68735 chore: Remove Tidelift funding information (#1861)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for domhandler since your current version.

Updates dompurify from 3.3.3 to 3.4.5

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.5

• Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

DOMPurify 3.4.4

• Added the selectedcontent element to default allow-list, thanks @​lukewarlow
• Added the command and commandfor attributes to default allowed-list, thanks @​lukewarlow
• Added better template scrubbing for IN_PLACE operations, thanks @​DEMON1A
• Added stronger checks for cross-realm windows, thanks @​DEMON1A & @​fg0x0
• Updated demo website and made sure it uses the latest from main
• Updated existing workflows, fuzzer, dependabot, etc., added more tests
• Bumped several dependencies where possible

🚨 This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead 🚨

DOMPurify 3.4.3

• Fixed an issue with handling of nested Shadow DOM trees, thanks @​fishjojo1
• Fixed the template regexes to be more robust against ReDoS attacks, thanks @​aleung27
• Updated the node iteration code to catch more Shadow DOM related issues
• Updated Playwright and added Node 26 to test matrix
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

DOMPurify 3.4.2

• Fixed an issue with URI validation on attributes allowed via ADD_ATTR callback, thanks @​nelstrom
• Fixed an issue with source maps referring to non-existing files, thanks @​cmdcolin
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

DOMPurify 3.4.1

• Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
• Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
• Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
• Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
• Removed a duplicate slot entry from the default HTML attribute allow-list
• Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
• Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
• Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

DOMPurify 3.4.0

Most relevant changes:

• Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @​kodareef5
• Fixed several minor problems and typos regarding MathML attributes, thanks @​DavidOliver
• Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @​1Jesper1
• Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @​bencalif
• Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @​trace37labs
• Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @​eddieran
• Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @​christos-eth

... (truncated)

Commits

• 011b0c7 release: 3.4.5 (#1382)
• 5817ad9 release: 3.4.4 (#1374)
• 520edb0 release: 3.4.3 (#1352)
• 6f67fd3 Sync/3.4.2 (#1322)
• 5b0cdbb chore: merge main into 3.x for 3.4.1 release (#1301)
• 09f5911 test: added three more browsers to test setup (OSX, mobile)
• 5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
• See full diff in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates emojibase from 15.3.1 to 17.0.0

Release notes

Sourced from emojibase's releases.

emojibase-data@17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

Patch Changes

• Updated dependencies [806c507]
  • emojibase@17.0.0

emojibase-regex@17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

emojibase-test-utils@17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

Patch Changes

• Updated dependencies [806c507]
  • emojibase@17.0.0

emojibase@17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

emojibase-data@16.0.3

Patch Changes

• 53fcdc1: Updated Chinese Traditional translations.

emojibase-data@16.0.2

Patch Changes

• d0e4bcc: Fixed a broken publish.

emojibase-data@16.0.1

Patch Changes

• 3faf950: Add missing files and types for vi data.

emojibase-data@16.0.0

Major Changes

• e9b9a9a: Add vi (Vietnamese) language.
• d237386: Update to Emoji v16 and CLDR 46.

... (truncated)

Changelog

Sourced from emojibase's changelog.

17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

16.0.0

Major Changes

• e9b9a9a: Add vi (Vietnamese) language.
• d237386: Update to Emoji v16 and CLDR 46.
• d237386: Drop Node.js v16 support. Requires >= v18.12.

All notable changes to this project will be documented in this file. See Conventional Commits for commit guidelines.

Commits

• a5fc630 chore: Version packages (#194)
• 50f5455 release: Emoji v17 / CLDR 48 (#193)
• 4f06163 Version Packages (#182)
• e9b9a9a new: Add vi (Vietnamese) language (#179)
• 04b7926 release: Update to Emoji v16 and CLDR 46. (#180)
• 8af1353 breaking: Drop Node.js v16 support. Requires >= v18.12. (#172)
• See full diff in compare view

Updates emojibase-data from 15.3.2 to 17.0.0

Release notes

Sourced from emojibase-data's releases.

emojibase-data@17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

Patch Changes

• Updated dependencies [806c507]
  • emojibase@17.0.0

emojibase-data@16.0.3

Patch Changes

• 53fcdc1: Updated Chinese Traditional translations.

emojibase-data@16.0.2

Patch Changes

• d0e4bcc: Fixed a broken publish.

emojibase-data@16.0.1

Patch Changes

• 3faf950: Add missing files and types for vi data.

emojibase-data@16.0.0

Major Changes

• e9b9a9a: Add vi (Vietnamese) language.
• d237386: Update to Emoji v16 and CLDR 46.
• d237386: Drop Node.js v16 support. Requires >= v18.12.

Patch Changes

• Updated dependencies [e9b9a9a]
• Updated dependencies [d237386]
• Updated dependencies [d237386]
  • emojibase@16.0.0

Changelog

Sourced from emojibase-data's changelog.

17.0.0

Major Changes

• 806c507: Update to Emoji v17 and CLDR 48.

Patch Changes

• Updated dependencies [806c507]
  • emojibase@17.0.0

16.0.3

Patch Changes

• 53fcdc1: Updated Chinese Traditional translations.

16.0.2

Patch Changes

• d0e4bcc: Fixed a broken publish.

16.0.1

Patch Changes

• 3faf950: Add missing files and types for vi data.

16.0.0

Major Changes

• e9b9a9a: Add vi (Vietnamese) language.
• d237386: Update to Emoji v16 and CLDR 46.
• d237386: Drop Node.js v16 support. Requires >= v18.12.

Patch Changes

• Updated dependencies [e9b9a9a]
• Updated dependencies [d237386]
• Updated dependencies [d237386]
  • emojibase@16.0.0

All notable changes to this project will be documented in this file. See Conventional Commits for commit guidelines.

Commits

• a5fc630 chore: Version packages (#194)
• 50f5455 release: Emoji v17 / CLDR 48 (#193)
• 91c1b15 fix: changed the translation into Russian (#190)
• abb21ab chore: Version packages (#188)
• 53fcdc1 internal: Regenerate data sets.
• acc7f6b chore: Version packages (#186)
• 7361f34 chore: Version packages (#185)
• 3faf950 fix: Add missing types for vi. (#184)
• 4f06163 Version Packages (#182)
• e9b9a9a new: Add vi (Vietnamese) language (#179)
• Additional commits viewable in compare view

Updates focus-trap-react from 10.3.1 to 12.0.1

Release notes

Sourced from focus-trap-react's releases.

v12.0.1

Patch Changes

• 93c93e9: Update focus-trap dependency to 8.1.0 for new lifecycle hook improvements (onActivate, etc).

v12.0.0

Major Changes

• 763eae4: BREAKING: Updated focus-trap dependency to v8.0.0. The breaking change is that onPostActivate() is now correctly called after the initial focus node is focused (it was previously called before due to a bug with the initial focus delay). See the focus-trap changelog for more details.

v11.0.6

Patch Changes

• c0bd275: Bump focus-trap to 7.8.0 for new aria-hidden support in isolateSubtrees option and bug fix related to trapStack option

v11.0.5

Patch Changes

• 01712b0: Update focus-trap dependency to 7.6.6 and tabbable to 6.3.0 to get a new displayCheck option in tabbable.
• 0f8db7c: Bump tabbable to 6.4.0 and focus-trap to 7.7.1 for improved inert handling

v11.0.4

Patch Changes

• 346e41d: Bump focus-trap to v7.6.5 for shadow DOM bug fix

v11.0.3

Patch Changes

• 095b3d4: Bump focus-trap dependency to v7.6.4 to get fix to manually-paused traps (see focus-trap|1340 for more info)

v11.0.2

Patch Changes

• e766841: Fix deprecation warning in React 19 when accessing ref the pre-v19 way

v11.0.1

Patch Changes

• cd75caa: Fix missing default export in typings; props no longer extend React.AllHTMLAttributes<any> to allow things like className (those extra props have always been ignored anyway); deprecate default export; add named export in code (#1396)

v11.0.0

Major Changes

• 4a37dae: Dropping propTypes and defaultProps no longer supported by React 19 and long deprecated in React 18 (going forward, use TypeScript for prop typings, and if necessary, a runtime library to validate props); Increasing minimum supported React version up to >=18; Bumping focus-trap dependency to v7.6.2

Changelog

Sourced from focus-trap-react's changelog.

12.0.1

Patch Changes

• 93c93e9: Update focus-trap dependency to 8.1.0 for new lifecycle hook improvements (onActivate, etc).

12.0.0

Major Changes

• 763eae4: BREAKING: Updated focus-trap dependency to v8.0.0. The breaking change is that onPostActivate() is now correctly called after the initial focus node is focused (it was previously called before due to a bug with the initial focus delay). See the focus-trap changelog for more details.

11.0.6

Patch Changes

• c0bd275: Bump focus-trap to 7.8.0 for new aria-hidden support in isolateSubtrees option and bug fix related to trapStack option

11.0.5

Patch Changes

• 01712b0: Update focus-trap dependency to 7.6.6 and tabbable to 6.3.0 to get a new displayCheck option in tabbable.
• 0f8db7c: Bump tabbable to 6.4.0 and focus-trap to 7.7.1 for improved inert handling

11.0.4

Patch Changes

• 346e41d: Bump focus-trap to v7.6.5 for shadow DOM bug fix

11.0.3

Patch Changes

• 095b3d4: Bump focus-trap dependency to v7.6.4 to get fix to manually-paused traps (see focus-trap|1340 for more info)

11.0.2

Patch Changes

• e766841: Fix deprecation warning in React 19 when accessing ref the pre-v19 way

11.0.1

Patch Changes

• cd75caa: Fix missing default export in typings; props no longer extend React.AllHTMLAttributes<any> to allow things like className (those extra props have always been ignored anyway); deprecate default export; add named export in code (#1396)

11.0.0

... (truncated)

Commits

• 95347d3 Version Packages (#1890)
• 93c93e9 Bump focus-trap to 8.1.0 (#1889)
• fd3fe32 [DEPENDABOT]: Bump @​typescript-eslint/eslint-plugin from 8.58.2 to 8.59.0 (#1...
• 591f8af [DEPENDABOT]: Bump @​changesets/cli from 2.30.0 to 2.31.0 (#1883)
• 2d283a7 [DEPENDABOT]: Bump typescript from 6.0.2 to 6.0.3 (#1885)
• b6e21d9 [DEPENDABOT]: Bump @​typescript-eslint/parser from 8.58.2 to 8.59.0 (#1886)
• 912a5cc [DEPENDABOT]: Bump cypress from 15.13.1 to 15.14.1 (#1887)
• 1ce7b6b [DEPENDABOT]: Bump eslint-plugin-react-hooks from 7.0.1 to 7.1.1 (#1888)
• b5dcc57 [DEPENDABOT]: Bump eslint-plugin-cypress from 6.2.3 to 6.3.1 (#1874)
• 65d02f5 [DEPENDABOT]: Bump prettier from 3.8.1 to 3.8.3 (#1876)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for focus-trap-react since your current version.

Updates html-dom-parser from 5.1.8 to 7.1.0

Release notes

Sourced from html-dom-parser's releases.

v7.1.0

7.1.0 (2026-05-05)

Features

• options: add CSP support with trustedTypePolicy (#1439) (25da34e) @​remdex

v7.0.1

7.0.1 (2026-04-07)

Bug Fixes

• bundle ESM-only deps into CJS output with Rollup (#1409) (901f1b4) @​athenacfr

v7.0.0

7.0.0 (2026-03-30)

⚠ BREAKING CHANGES

• deps: bump htmlparser2 from 11.0.0 to 12.0.0

Build System

• deps: bump htmlparser2 from 11.0.0 to 12.0.0 (#1389) (9e72885)

v6.0.0

6.0.0 (2026-03-20)

⚠ BREAKING CHANGES

• client: remove exports formatAttributes and CARRIAGE_RETURN constants
• deps: bump htmlparser2 from 10.1.0 to 11.0.0
• deps: bump domhandler from 5.0.3 to 6.0.1

Code Refactoring

• client: remove exports formatAttributes and CARRIAGE_RETURN (77c2e92)

Build System

• deps: bump domhandler from 5.0.3 to 6.0.1 (24b7e31)
• deps: bump htmlparser2 from 10.1.0 to 11.0.0 (cb389eb)

Changelog

Sourced from html-dom-parser's changelog.

7.1.0 (2026-05-05)

Features

• options: add CSP support with trustedTypePolicy (#1439) (25da34e)

7.0.1 (2026-04-07)

Bug Fixes

• bundle ESM-only deps into CJS output with Rollup (#1409) (901f1b4)

7.0.0 (2026-03-30)

⚠ BREAKING CHANGES

• deps: bump htmlparser2 from 11.0.0 to 12.0.0

Build System

• deps: bump htmlparser2 from 11.0.0 to 12.0.0 (#1389) (9e72885)

6.0.0 (2026-03-20)

⚠ BREAKING CHANGES

• client: remove exports formatAttributes and CARRIAGE_RETURN constants
• deps: bump htmlparser2 from 10.1.0 to 11.0.0
• deps: bump domhandler from 5.0.3 to 6.0.1

Code Refactoring

• client: remove exports formatAttributes and CARRIAGE_RETURN (77c2e92)

Build System

• deps: bump domhandler from 5.0.3 to 6.0.1 (24b7e31)
• deps: bump htmlparser2 from 10.1.0 to 11.0.0 (cb389eb)

Commits

• 595dcd4 Merge pull request #1440 from remarkablemark/release-please--branches--master...
• 9fc7529 refactor: rename TrustedTypePolicyLike to TrustedTypePolicy
• f080446 build(package): update package-lock.json
• e9633cd build(deps-dev): bump rollup from 4.60.2 to 4.60.3 (#1442)
• 01856ad build(deps-dev): bump typescript-eslint from 8.59.1 to 8.59.2 (#1441)
• 865852e chore(master): release 7.1.0
• 25da34e feat(options): add CSP support with trustedTypePolicy (#1439)
• 0ac2022 build(deps-dev): bump jsdom from 29.1.0 to 29.1.1 (#1436)
• 937e39d build(deps-dev): bump globals from 17.5.0 to 17.6.0 (#1438)
• 661b85a build(deps-dev): bump eslint from 10.2.1 to 10.3.0 in the eslint group (#1437)
• Additional commits viewable in compare view

Updates html-react-parser from 4.2.10 to 6.1.0

Release notes

Sourced from html-react-parser's releases.

v6.1.0

6.1.0 (2026-05-05)

Features

• options: add CSP support with trustedTypePolicy (#2220) (0fd3aa0) @​remdex

v6.0.1

6.0.1 (2026-04-08)

Build System

• deps: bump html-dom-parser from 7.0.0 to 7.0.1 (#2189) (c1f9856)

v6.0.0

6.0.0 (2026-04-02)

⚠ BREAKING CHANGES

• deps: bump html-dom-parser from 5.1.8 to 7.0.0
• deps: bump domhandler from 5.0.3 to 6.0.1
• tsconfig: change build target from es5 to es2016

Build System

• deps: bump domhandler from 5.0.3 to 6.0.1 (#2163) (c3d3092)
• deps: bump html-dom-parser from 5.1.8 to 7.0.0 (#2177) (1ae59e6)
• tsconfig: change target from es5 to es2016 (796f4de)

v5.2.17

5.2.17 (2026-02-07)

Bug Fixes

• deps: bump html-dom-parser from 5.1.7 to 5.1.8 (#2113) (c53a612)

v5.2.16

5.2.16 (2026-02-03)

Build System

• deps: bump html-dom-parser from 5.1.4 to 5.1.7 (#2100) (461624b)

v5.2.15

5.2.15 (2026-01-31)

... (truncated)

Changelog

Sourced from html-react-parser's changelog.

6.1.0 (2026-05-05)

Features

• options: add CSP support with trustedTypePolicy (#2220) (0fd3aa0)

6.0.1 (2026-04-08)

Build System

• deps: bump html-dom-parser from 7.0.0 to 7.0.1 (#2189) (c1f9856)

6.0.0 (2026-04-02)

⚠ BREAKING CHANGES

• deps: bump html-dom-parser from 5.1.8 to 7.0.0
• deps: bump domhandler from 5.0.3 to 6.0.1
• tsconfig: change build target from es5 to es2016

Build System

• deps: bump domhandler from 5.0.3 to 6.0.1 (#2163) (c3d3092)
• deps: bump html-dom-parser from 5.1.8 to 7.0.0 (#2177) (1ae59e6)
• tsconfig: change target from es5 to es2016 (796f4de)

5.2.17 (2026-02-07)

Bug Fixes

• deps: bump html-dom-parser from 5.1.7 to 5.1.8 (#2113) (c53a612)

5.2.16 (2026-02-03)

Build System

• deps: bump html-dom-parser from 5.1.4 to 5.1.7 (#2100) (461624b)

5.2.15 (2026-01-31)

Bug Fixes

• esm: set explicit file extension for ./lib/utilities (d8fd0c5)

... (truncated)

Commits

• 9714731 Merge pull request #2225 from remarkablemark/release-please--branches--master...
• 85e7925 docs(readme): remove replit
• b71d16c docs(readme): tidy README.md
• 9718362 docs(readme): update faq
• c9ff46e docs(readme): improve grammar
• d9c0d8c docs(readme): document option trustedTypePolicy
• e660afb style(examples): refactor webpack index.js
• 57858ef chore(master): release 6.1.0
• eac520c build(package): update package-lock.json
• 0fd3aa0 feat(options): add CSP support with trustedTypePolicy (#2220)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for html-react-parser since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates i18next from 25.8.17 to 26.1.0

Release notes

Sourced from i18next's releases.

v26.1.0

• feat: enableSelector: 'strict' (TypeOptions + runtime option). Opt-in mode that drops the flattened-primary form from NsResource at the type level — every namespace (primary included) is exposed only under its own key on $, uniformly across single- and multi-ns hooks. At runtime, a leading selector path segment matching the scope's namespace list is always rewritten as a namespace prefix, including the primary. Eliminates the silent-miss surface area where t($ => $.primary.foo) typechecks but doesn't resolve under the default mode (see #2429). Backward-compatible: default enableSelector: false | true | 'optimize' behavior is unchanged. Note: strict mode is incompatible with the #2405 pattern (keys whose names match sibling namespaces) — those users should stay on default mode.

v26.0.10

• feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

v26.0.9

• fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

v26.0.8

• fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

v26.0.7

• fix: when a plural lookup misses, the missingKey debug log now shows the actual plural-resolved key (e.g. foo.bar_many for Polish count: 14) instead of the base key — making it obvious which plural category was expected and missing 2423
• chore: drop @babel/runtime runtime dependency. The build no longer generates any @babel/runtime imports, so the package is unused by consumers. Rollup now uses babelHelpers: 'bundled' so any helpers that are ever needed in the future will be inlined rather than imported externally 2424
• chore: stop emitting dist/esm/i18next.bundled.js. It was byte-identical to dist/esm/i18next.js because no helpers were being imported 2424

v26.0.6

Security release — all issues found via an internal audit. GHSA advisory filed after release.

• security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security docs for mitigation guidance (GHSA-TBD)
• security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
• security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)
• chore: ignore .env* and *.pem/*.key files in .gitignore

v26.0.5

• fix: cloneInstance().changeLanguage() no longer fails to update language state when the target language is not yet loaded — a race between init()'s deferred load() and the user's changeLanguage() could overwrite isLanguageChangingTo, causing setLngProps to be skipped 2422

v26.0.4

• fix(types): inline formatting options like {{price, currency(EUR)}} are now correctly resolved to their base format type (e.g. number for currency) instead of falling back to string 2378

v26.0.3

• fix(types): addResourceBundle now accepts an optional 6th options parameter ({ silent?: boolean; skipCopy?: boolean }) matching the runtime API 2419

v26.0.2

• fix(types): t("key", {} as TOptions) no longer produces a type error — the context constraint now bypasses strict checking when context is unknown (e.g. from TOptions) 2418

v26.0.1

• fix: Formatter no longer crashes when alwaysFormat is true and no format specifier is present (format is undefined)
• fix: Formatter now returns undefined/null values as-is instead of producing NaN when the value is missing

v26.0.0

This is a major breaking release:

Breaking Changes

• Remove deprecated initImmediate option — the backward-compatibility mapping from initImmediate to initAsync (introduced in v24) has been removed. Use initAsync instead.
• Remove legacy interpolation.format function — the old monolithic format function (interpolation: { format: (value, format, lng) => ... }) is no longer supported. The built-in Formatter (or a custom Formatter module via .use()) is now always used. Migrate to the new formatting approach using i18next.services.formatter.add() or .addCached() for custom formatters.
• Remove console support notice — the console support notice introduced in v25.8.0 has been removed, along with the showSupportNotice option and all related internal suppression logic (globalThis.__i18next_supportNoticeShown, I18NEXT_NO_SUPPORT_NOTICE env var). See our blog post for the full story.
• Remove simplifyPluralSuffix option — this option was unused by the core PluralResolver (which relies entirely on Intl.PluralRules). It only had an effect in the old v1/v2/v3 compatibility layer. The v4 test compatibility layer now defaults to true internally.

... (truncated)

Changelog

Sourced from i18next's changelog.

26.1.0

• feat: enableSelector: 'strict' (TypeOptions + runtime option). Opt-in mode that drops the flattened-primary form from NsResource at the type level — every namespace (primary included) is exposed only under its own key on $, uniformly across single- and multi-ns hooks. At runtime, a leading selector path segment matching the scope's namespace list is always rewritten as a namespace prefix, including the primary. Eliminates the silent-miss surface area where t($ => $.primary.foo) typechecks but doesn't resolve under the default mode (see #2429). Backward-compatible: default enableSelector: false | true | 'optimize' behavior is unchanged. Note: strict mode is incompatible with the #2405 pattern (keys whose names match sibling namespaces) — those users should stay on default mode.

26.0.10

• feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

26.0.9

• fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

26.0.8

• fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

26.0.7

• fix: when a plural lookup misses, the missingKey debug log now shows the actual plural-resolved key (e.g. foo.bar_many for Polish count: 14) instead of the base key — making it obvious which plural category was expected and missing 2423
• chore: drop @babel/runtime runtime dependency. The build no longer generates any @babel/runtime imports, so the package is unused by consumers. Rollup now uses babelHelpers: 'bundled' so any helpers that are ever needed in the future will be inlined rather than imported externally 2424
• chore: stop emitting dist/esm/i18next.bundled.js. It was byte-identical to dist/esm/i18next.js because no helpers were being imported 2424

26.0.6

Security release — all issues found via an internal audit.

• security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the