Release v0.17.0
Robust inside, for real. The hardening release: a full-code audit of all eight packages fixed every sharp edge it found — a catalog string can no longer inject a javascript: URL through attribute translation, a bad currency code or date style degrades with a warning instead of crashing t(), the CLI rejects flags that belong to another command instead of silently ignoring them, and the SSR story gets its missing piece: createRequestInstance() in virtual:verbaly gives you a per-request instance with the catalog already loaded, in one call. One breaking change: inspect() renames its locale field to from (see Changed).
Highlights
- Attribute translation is now XSS-safe end to end —
data-verbaly-attrruns URL attributes (href,src,action…) through the samesafeHrefguard as rich links and blocksstyle/srcdocentirely. A malicious or compromised catalog can't inject scripts. t()never crashes on bad format arguments — an invalid currency code ({v:currency/US}), date or time style now warns once and renders the plain value, matching howunitandrelativealready behaved.createRequestInstance(locale)invirtual:verbaly— the SSR per-request pattern in one call: fresh instance, catalog awaited, no flash. SvelteKit today, Nuxt next.- The CLI fails loudly on misplaced flags —
verbaly translate --locale esused to silently translate all locales; now it errors with "did you mean--locales?". Plus--dry-runforextract --prune. normalizeLink()andresolveRequestLocale()in core — the link sanitizer and the cookie→Accept-Languagenegotiation now live once in core; every adapter and SSR integration shares them.- Breaking:
instance.inspect(key)now returns{ from, source }instead of{ locale, source }— one name for one concept across the observability API (ResolveInfo.from).
For the full details of this release, see the repository changelog.