Skip to content

fix(deps): update dependency next-intl to ^4.9.2 [security]#139

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-next-intl-vulnerability
Open

fix(deps): update dependency next-intl to ^4.9.2 [security]#139
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-next-intl-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 11, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
next-intl (source) ^4.1.0^4.9.2 age confidence
next-intl (source) ^4.3.12^4.9.2 age confidence

next-intl has an open redirect vulnerability

CVE-2026-40299 / GHSA-8f24-v5vv-gm5j

More information

Details

Impact

Applications using the next-intl middleware with localePrefix: 'as-needed' could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative // or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL.

Patches

The problem has been patched, please update to next-intl@4.9.1.

Credits

Many thanks to Joni Liljeblad from Oura for responsibly disclosing the vulnerability and for suggesting the fix.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


next-intl has prototype pollution with experimental.messages.precompile via attacker-controlled translation catalog keys

GHSA-4c35-wcg5-mm9h

More information

Details

Summary

setNestedProperty in packages/next-intl/src/extractor/utils.tsx walks a dotted key path and assigns the final value without blocking the reserved keys __proto__, constructor, or prototype. When the next-intl Next.js plugin is configured with experimental.messages and messages.precompile: true, a JSON translation catalog containing a top‑level __proto__ key causes setNestedProperty(result, '__proto__.isAdmin', compiledMessage) to assign onto Object.prototype, polluting every object in the running build process.

Details

Root cause — packages/next-intl/src/extractor/utils.tsx:13-34:

export function setNestedProperty(
  obj: Record<string, any>,
  keyPath: string,
  value: any
): void {
  const keys = keyPath.split('.');
  let current = obj;

  for (let i = 0; i < keys.length - 1; i++) {
    const key = keys[i];
    if (
      !(key in current) ||
      typeof current[key] !== 'object' ||
      current[key] === null
    ) {
      current[key] = {};
    }
    current = current[key];
  }

  current[keys[keys.length - 1]] = value;
}

The existence check !(key in current) uses the in operator, which walks the prototype chain. For key === '__proto__', '__proto__' in {} is true (it's inherited from Object.prototype) and typeof current['__proto__'] === 'object' (it is Object.prototype). The guard therefore never re-initializes current[key], and current = current['__proto__'] redirects all subsequent writes onto Object.prototype. The final assignment current[keys[keys.length-1]] = value sets Object.prototype[<attacker key>] = <attacker value>.

Build-time data flow:

  1. packages/next-intl/src/plugin/catalog/catalogLoader.tsx:55-83 — the webpack/turbopack loader receives the catalog file source and, if options.messages.precompile is enabled, calls codec.decode(source, {locale}).
  2. packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx:9-18decode runs JSON.parse(source). V8 installs __proto__ as an own data property on the result when the JSON key is literally "__proto__" (bypassing the normal Object.prototype.__proto__ setter that would otherwise reassign the prototype).
  3. JSONCodec.tsx:33-53traverseMessages iterates Object.keys(obj), which for a JSON‑parsed object includes the own __proto__ key. It reads obj.__proto__ (returns the attacker’s nested object, not Object.prototype, because it's an own property), recurses into it, and emits message id __proto__.isAdmin.
  4. catalogLoader.tsx:71precompileMessages(decoded, cache).
  5. catalogLoader.tsx:89-131 — for each message, calls setNestedProperty(result, message.id, compiledMessage). With message.id === '__proto__.isAdmin', setNestedProperty walks into Object.prototype and assigns Object.prototype.isAdmin = compiledMessage.

The same sink is also reachable via JSONCodec.encode (JSONCodec.tsx:20-26) and POCodec (packages/next-intl/src/extractor/format/codecs/POCodec.tsx:87) during extraction, both of which feed attacker-influenced message.id values into setNestedProperty — but those paths require control of source-code identifiers, which is a weaker attack vector than the build-time catalog path above.

After pollution, every subsequent object access during the remainder of the Next.js build pipeline (webpack, turbopack, babel, next-intl’s own logic) inherits the attacker-controlled properties. This is a classic gadget-chain precondition for corrupting build-tool internals and tampering with generated bundles, since many build tools use patterns like if (obj.someFlag) or options[key] ?? default that are sensitive to polluted prototypes.

Trust boundary note: next-intl’s message catalogs are realistically attacker-influenced in practice. Translation files are routinely round-tripped through external TMS systems (Crowdin, Lokalise, Transifex), accepted via community locale PRs, or pulled from third-party translation packages — any of which can carry a crafted __proto__ key unnoticed, since JSON translation diffs are usually merged with minimal scrutiny.

PoC

Prerequisites: a Next.js project using next-intl ≤ 4.9.1 with the Next.js plugin configured:

// next.config.ts
import createNextIntlPlugin from 'next-intl/plugin';

const withNextIntl = createNextIntlPlugin({
  experimental: {
    messages: {
      path: './messages',
      format: 'json',
      locales: 'infer',
      precompile: true
    }
  }
});

export default withNextIntl({});
  1. Drop a malicious catalog at messages/en.json:

    {
      "Greeting": "Hello",
      "__proto__": { "isAdmin": "polluted" }
    }
  2. Run next build (or next dev). The catalogLoader will invoke JSONCodec.decodetraverseMessagesprecompileMessagessetNestedProperty.

  3. Minimal reproduction of the sink itself (verified locally against the v4.9.1 source):

    function setNestedProperty(obj, keyPath, value) {
      const keys = keyPath.split('.');
      let current = obj;
      for (let i = 0; i < keys.length - 1; i++) {
        const key = keys[i];
        if (!(key in current) || typeof current[key] !== 'object' || current[key] === null) {
          current[key] = {};
        }
        current = current[key];
      }
      current[keys[keys.length - 1]] = value;
    }
    
    setNestedProperty({}, '__proto__.isAdmin', 'PWNED');
    console.log(({}).isAdmin); // -> "PWNED"

    Output: PWNED.

  4. Full chain reproduction (also verified):

    const parsed = JSON.parse('{"Greeting":"Hello","__proto__":{"isAdmin":"polluted"}}');
    // traverseMessages emits: [{id:"Greeting",message:"Hello"},{id:"__proto__.isAdmin",message:"polluted"}]
    // precompileMessages then calls setNestedProperty(result, "__proto__.isAdmin", "polluted")
    console.log(({}).isAdmin); // -> "polluted"

    After the loader runs, ({}).isAdmin === 'polluted' for the remainder of the build Node process.

Impact
  • Object.prototype is polluted for the lifetime of the build‑time Node.js process, affecting every object created or inspected thereafter in the Next.js build pipeline (webpack/turbopack loaders, babel plugins, next-intl’s own codecs, user plugins).
  • Classic CWE-1321 gadget-chain precondition: downstream tools that branch on obj.someFlag, options[key] ?? default, if (!config.noX), etc. can be coerced into unintended behavior, including emitting tampered bundles.
  • Realistic delivery vectors include TMS round-trips (Crowdin/Lokalise/Transifex), community locale PRs, and compromised/transitively-installed translation packages — all situations where a JSON catalog diff is routinely accepted without the scrutiny given to code changes.
  • Exploitation requires the user to opt in to the experimental.messages + precompile configuration. Users who do not use the extractor/precompile features are not affected.
Recommended Fix

Reject reserved keys in setNestedProperty and stop using the in operator for the existence check. A minimal patch to packages/next-intl/src/extractor/utils.tsx:

const FORBIDDEN_KEYS = new Set(['__proto__', 'constructor', 'prototype']);

export function setNestedProperty(
  obj: Record<string, any>,
  keyPath: string,
  value: any
): void {
  const keys = keyPath.split('.');
  for (const key of keys) {
    if (FORBIDDEN_KEYS.has(key)) {
      throw new Error(`Invalid message id segment: ${key}`);
    }
  }

  let current = obj;
  for (let i = 0; i < keys.length - 1; i++) {
    const key = keys[i];
    if (
      !Object.prototype.hasOwnProperty.call(current, key) ||
      typeof current[key] !== 'object' ||
      current[key] === null
    ) {
      current[key] = Object.create(null);
    }
    current = current[key];
  }

  current[keys[keys.length - 1]] = value;
}

Additionally:

  • In packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx, make traverseMessages skip reserved keys (or switch to Object.create(null) + Object.hasOwn semantics) so that a malicious catalog is rejected early with a clear error rather than producing __proto__.* message ids.
  • In packages/next-intl/src/plugin/catalog/catalogLoader.tsx, initialize precompileMessages’s result with Object.create(null) as defense in depth, so even if a key slipped through it could not redirect through Object.prototype.

Severity

  • CVSS Score: 4.2 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


next-intl has an open redirect vulnerability

CVE-2026-40299 / GHSA-8f24-v5vv-gm5j

More information

Details

Impact

Applications using the next-intl middleware with localePrefix: 'as-needed' could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative // or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL.

Patches

The problem has been patched, please update to next-intl@4.9.1.

Credits

Many thanks to Joni Liljeblad from Oura for responsibly disclosing the vulnerability and for suggesting the fix.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


next-intl has prototype pollution with experimental.messages.precompile via attacker-controlled translation catalog keys

GHSA-4c35-wcg5-mm9h

More information

Details

Summary

setNestedProperty in packages/next-intl/src/extractor/utils.tsx walks a dotted key path and assigns the final value without blocking the reserved keys __proto__, constructor, or prototype. When the next-intl Next.js plugin is configured with experimental.messages and messages.precompile: true, a JSON translation catalog containing a top‑level __proto__ key causes setNestedProperty(result, '__proto__.isAdmin', compiledMessage) to assign onto Object.prototype, polluting every object in the running build process.

Details

Root cause — packages/next-intl/src/extractor/utils.tsx:13-34:

export function setNestedProperty(
  obj: Record<string, any>,
  keyPath: string,
  value: any
): void {
  const keys = keyPath.split('.');
  let current = obj;

  for (let i = 0; i < keys.length - 1; i++) {
    const key = keys[i];
    if (
      !(key in current) ||
      typeof current[key] !== 'object' ||
      current[key] === null
    ) {
      current[key] = {};
    }
    current = current[key];
  }

  current[keys[keys.length - 1]] = value;
}

The existence check !(key in current) uses the in operator, which walks the prototype chain. For key === '__proto__', '__proto__' in {} is true (it's inherited from Object.prototype) and typeof current['__proto__'] === 'object' (it is Object.prototype). The guard therefore never re-initializes current[key], and current = current['__proto__'] redirects all subsequent writes onto Object.prototype. The final assignment current[keys[keys.length-1]] = value sets Object.prototype[<attacker key>] = <attacker value>.

Build-time data flow:

  1. packages/next-intl/src/plugin/catalog/catalogLoader.tsx:55-83 — the webpack/turbopack loader receives the catalog file source and, if options.messages.precompile is enabled, calls codec.decode(source, {locale}).
  2. packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx:9-18decode runs JSON.parse(source). V8 installs __proto__ as an own data property on the result when the JSON key is literally "__proto__" (bypassing the normal Object.prototype.__proto__ setter that would otherwise reassign the prototype).
  3. JSONCodec.tsx:33-53traverseMessages iterates Object.keys(obj), which for a JSON‑parsed object includes the own __proto__ key. It reads obj.__proto__ (returns the attacker’s nested object, not Object.prototype, because it's an own property), recurses into it, and emits message id __proto__.isAdmin.
  4. catalogLoader.tsx:71precompileMessages(decoded, cache).
  5. catalogLoader.tsx:89-131 — for each message, calls setNestedProperty(result, message.id, compiledMessage). With message.id === '__proto__.isAdmin', setNestedProperty walks into Object.prototype and assigns Object.prototype.isAdmin = compiledMessage.

The same sink is also reachable via JSONCodec.encode (JSONCodec.tsx:20-26) and POCodec (packages/next-intl/src/extractor/format/codecs/POCodec.tsx:87) during extraction, both of which feed attacker-influenced message.id values into setNestedProperty — but those paths require control of source-code identifiers, which is a weaker attack vector than the build-time catalog path above.

After pollution, every subsequent object access during the remainder of the Next.js build pipeline (webpack, turbopack, babel, next-intl’s own logic) inherits the attacker-controlled properties. This is a classic gadget-chain precondition for corrupting build-tool internals and tampering with generated bundles, since many build tools use patterns like if (obj.someFlag) or options[key] ?? default that are sensitive to polluted prototypes.

Trust boundary note: next-intl’s message catalogs are realistically attacker-influenced in practice. Translation files are routinely round-tripped through external TMS systems (Crowdin, Lokalise, Transifex), accepted via community locale PRs, or pulled from third-party translation packages — any of which can carry a crafted __proto__ key unnoticed, since JSON translation diffs are usually merged with minimal scrutiny.

PoC

Prerequisites: a Next.js project using next-intl ≤ 4.9.1 with the Next.js plugin configured:

// next.config.ts
import createNextIntlPlugin from 'next-intl/plugin';

const withNextIntl = createNextIntlPlugin({
  experimental: {
    messages: {
      path: './messages',
      format: 'json',
      locales: 'infer',
      precompile: true
    }
  }
});

export default withNextIntl({});
  1. Drop a malicious catalog at messages/en.json:

    {
      "Greeting": "Hello",
      "__proto__": { "isAdmin": "polluted" }
    }
  2. Run next build (or next dev). The catalogLoader will invoke JSONCodec.decodetraverseMessagesprecompileMessagessetNestedProperty.

  3. Minimal reproduction of the sink itself (verified locally against the v4.9.1 source):

    function setNestedProperty(obj, keyPath, value) {
      const keys = keyPath.split('.');
      let current = obj;
      for (let i = 0; i < keys.length - 1; i++) {
        const key = keys[i];
        if (!(key in current) || typeof current[key] !== 'object' || current[key] === null) {
          current[key] = {};
        }
        current = current[key];
      }
      current[keys[keys.length - 1]] = value;
    }
    
    setNestedProperty({}, '__proto__.isAdmin', 'PWNED');
    console.log(({}).isAdmin); // -> "PWNED"

    Output: PWNED.

  4. Full chain reproduction (also verified):

    const parsed = JSON.parse('{"Greeting":"Hello","__proto__":{"isAdmin":"polluted"}}');
    // traverseMessages emits: [{id:"Greeting",message:"Hello"},{id:"__proto__.isAdmin",message:"polluted"}]
    // precompileMessages then calls setNestedProperty(result, "__proto__.isAdmin", "polluted")
    console.log(({}).isAdmin); // -> "polluted"

    After the loader runs, ({}).isAdmin === 'polluted' for the remainder of the build Node process.

Impact
  • Object.prototype is polluted for the lifetime of the build‑time Node.js process, affecting every object created or inspected thereafter in the Next.js build pipeline (webpack/turbopack loaders, babel plugins, next-intl’s own codecs, user plugins).
  • Classic CWE-1321 gadget-chain precondition: downstream tools that branch on obj.someFlag, options[key] ?? default, if (!config.noX), etc. can be coerced into unintended behavior, including emitting tampered bundles.
  • Realistic delivery vectors include TMS round-trips (Crowdin/Lokalise/Transifex), community locale PRs, and compromised/transitively-installed translation packages — all situations where a JSON catalog diff is routinely accepted without the scrutiny given to code changes.
  • Exploitation requires the user to opt in to the experimental.messages + precompile configuration. Users who do not use the extractor/precompile features are not affected.
Recommended Fix

Reject reserved keys in setNestedProperty and stop using the in operator for the existence check. A minimal patch to packages/next-intl/src/extractor/utils.tsx:

const FORBIDDEN_KEYS = new Set(['__proto__', 'constructor', 'prototype']);

export function setNestedProperty(
  obj: Record<string, any>,
  keyPath: string,
  value: any
): void {
  const keys = keyPath.split('.');
  for (const key of keys) {
    if (FORBIDDEN_KEYS.has(key)) {
      throw new Error(`Invalid message id segment: ${key}`);
    }
  }

  let current = obj;
  for (let i = 0; i < keys.length - 1; i++) {
    const key = keys[i];
    if (
      !Object.prototype.hasOwnProperty.call(current, key) ||
      typeof current[key] !== 'object' ||
      current[key] === null
    ) {
      current[key] = Object.create(null);
    }
    current = current[key];
  }

  current[keys[keys.length - 1]] = value;
}

Additionally:

  • In packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx, make traverseMessages skip reserved keys (or switch to Object.create(null) + Object.hasOwn semantics) so that a malicious catalog is rejected early with a clear error rather than producing __proto__.* message ids.
  • In packages/next-intl/src/plugin/catalog/catalogLoader.tsx, initialize precompileMessages’s result with Object.create(null) as defense in depth, so even if a key slipped through it could not redirect through Object.prototype.

Severity

  • CVSS Score: 4.2 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

amannn/next-intl (next-intl)

v4.9.2

Compare Source

Bug Fixes

v4.9.1

Compare Source

Bug Fixes

v4.9.0

Compare Source

Features

v4.8.4

Compare Source

Bug Fixes

v4.8.3

Compare Source

Bug Fixes

v4.8.2

Compare Source

Bug Fixes

v4.8.1

Compare Source

Bug Fixes

v4.8.0

Compare Source

Features

v4.7.0

Compare Source

Features

v4.6.1

Compare Source

Bug Fixes

v4.6.0

Compare Source

Features
  • Custom formats for useExtracted, consistency fixes for file references, pruning of messages and sorting of keys (#​2155) (c02818e) – by @​amannn

v4.5.8

Compare Source

Bug Fixes

v4.5.7

Compare Source

Bug Fixes

v4.5.6

Compare Source

Bug Fixes

v4.5.5

Compare Source

Bug Fixes

v4.5.4

Compare Source

Bug Fixes

v4.5.3

Compare Source

Bug Fixes

v4.5.2

Compare Source

Bug Fixes

v4.5.1

Compare Source

Bug Fixes

v4.5.0

Compare Source

Features

v4.4.0

Compare Source

Features

v4.3.12

Compare Source

Bug Fixes

v4.3.11

Compare Source

Bug Fixes

v4.3.10

Compare Source

Bug Fixes

v4.3.9

Compare Source

Bug Fixes

v4.3.8

Compare Source

Bug Fixes

v4.3.7

Compare Source

Bug Fixes

v4.3.6

Compare Source

Bug Fixes

v4.3.5

Compare Source

Bug Fixes

v4.3.4

Compare Source

Bug Fixes

v4.3.3

Compare Source

Bug Fixes

v4.3.2

Compare Source

Bug Fixes

v4.3.1

Compare Source

Bug Fixes

v4.3.0

Compare Source

Features

v4.2.0

Compare Source

Features

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-next-intl-vulnerability branch 8 times, most recently from dbd3c5f to 7d62216 Compare April 21, 2026 23:05
@renovate renovate Bot force-pushed the renovate/npm-next-intl-vulnerability branch 3 times, most recently from 544267b to 86cc70e Compare April 29, 2026 18:19
@renovate renovate Bot changed the title fix(deps): update dependency next-intl to ^4.9.1 [security] fix(deps): update dependency next-intl to ^4.11.0 [security] Apr 29, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-intl-vulnerability branch from 86cc70e to 0e38d1e Compare April 29, 2026 23:41
@renovate renovate Bot changed the title fix(deps): update dependency next-intl to ^4.11.0 [security] fix(deps): update dependency next-intl to ^4.9.1 [security] Apr 29, 2026
@renovate renovate Bot changed the title fix(deps): update dependency next-intl to ^4.9.1 [security] fix(deps): update dependency next-intl to ^4.11.0 [security] Apr 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-intl-vulnerability branch 2 times, most recently from cc4ce14 to 8307184 Compare April 30, 2026 17:58
@renovate renovate Bot changed the title fix(deps): update dependency next-intl to ^4.11.0 [security] fix(deps): update dependency next-intl to ^4.9.1 [security] Apr 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-intl-vulnerability branch from 8307184 to 6e4bcbf Compare May 6, 2026 21:18
@renovate renovate Bot changed the title fix(deps): update dependency next-intl to ^4.9.1 [security] fix(deps): update dependency next-intl to ^4.9.2 [security] May 6, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-intl-vulnerability branch from 6e4bcbf to acdcca0 Compare May 12, 2026 10:44
@renovate renovate Bot changed the title fix(deps): update dependency next-intl to ^4.9.2 [security] fix(deps): update dependency next-intl to ^4.11.2 [security] May 12, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-intl-vulnerability branch from acdcca0 to 8ea95ba Compare May 12, 2026 17:54
@renovate renovate Bot changed the title fix(deps): update dependency next-intl to ^4.11.2 [security] fix(deps): update dependency next-intl to ^4.9.2 [security] May 12, 2026
@renovate renovate Bot changed the title fix(deps): update dependency next-intl to ^4.9.2 [security] fix(deps): update dependency next-intl to ^4.12.0 [security] May 14, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-intl-vulnerability branch 2 times, most recently from 24dbf4c to d804333 Compare May 14, 2026 22:06
@renovate renovate Bot changed the title fix(deps): update dependency next-intl to ^4.12.0 [security] fix(deps): update dependency next-intl to ^4.9.2 [security] May 14, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-intl-vulnerability branch from d804333 to cdbe967 Compare May 18, 2026 16:51
@renovate renovate Bot changed the title fix(deps): update dependency next-intl to ^4.9.2 [security] fix(deps): update dependency next-intl to ^4.12.0 [security] May 18, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-intl-vulnerability branch from cdbe967 to ee697ec Compare May 18, 2026 23:59
@renovate renovate Bot changed the title fix(deps): update dependency next-intl to ^4.12.0 [security] fix(deps): update dependency next-intl to ^4.9.2 [security] May 18, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-intl-vulnerability branch from ee697ec to 62b6a48 Compare May 22, 2026 18:17
@renovate renovate Bot changed the title fix(deps): update dependency next-intl to ^4.9.2 [security] fix(deps): update dependency next-intl to ^4.12.0 [security] May 22, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-intl-vulnerability branch from 62b6a48 to f9258ad Compare May 22, 2026 23:47
@renovate renovate Bot changed the title fix(deps): update dependency next-intl to ^4.12.0 [security] fix(deps): update dependency next-intl to ^4.9.2 [security] May 22, 2026
@renovate renovate Bot changed the title fix(deps): update dependency next-intl to ^4.9.2 [security] fix(deps): update dependency next-intl to ^4.13.0 [security] May 28, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-intl-vulnerability branch 2 times, most recently from 8fa2662 to 6a24405 Compare May 28, 2026 23:55
@renovate renovate Bot changed the title fix(deps): update dependency next-intl to ^4.13.0 [security] fix(deps): update dependency next-intl to ^4.9.2 [security] May 28, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-intl-vulnerability branch from 6a24405 to 248e27f Compare June 21, 2026 23:49
@renovate renovate Bot changed the title fix(deps): update dependency next-intl to ^4.9.2 [security] fix(deps): update dependency next-intl to ^4.13.0 [security] Jun 21, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-intl-vulnerability branch from 248e27f to 8c01a02 Compare June 22, 2026 01:49
@renovate renovate Bot changed the title fix(deps): update dependency next-intl to ^4.13.0 [security] fix(deps): update dependency next-intl to ^4.9.2 [security] Jun 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants