Security release — all issues found via an internal audit. GHSA advisory filed after release.
- security: warn when a translation string combines
escapeValue: falsewith interpolated variables inside a$t(key, { ... "{{var}}" ... })nesting-options block. In that narrow combination, attacker-controlled string values containing"can break out of the JSON options literal and inject additional nesting options (e.g. redirectlng/ns). The defaultescapeValue: trueconfiguration is unaffected because HTML-escaping neutralises the quote beforeJSON.parse. See the security docs for mitigation guidance (GHSA-TBD) - security: apply
regexEscapetounescapePrefix/unescapeSuffixon par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the{{- var}}syntax when the delimiter contains characters like(,[,. - security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)
- chore: ignore
.env*and*.pem/*.keyfiles in.gitignore