Skip to content

Release v0.17.0

Choose a tag to compare

@github-actions github-actions released this 11 Jul 19:35
59a4151

Robust inside, for real. The hardening release: a full-code audit of all eight packages fixed every sharp edge it found — a catalog string can no longer inject a javascript: URL through attribute translation, a bad currency code or date style degrades with a warning instead of crashing t(), the CLI rejects flags that belong to another command instead of silently ignoring them, and the SSR story gets its missing piece: createRequestInstance() in virtual:verbaly gives you a per-request instance with the catalog already loaded, in one call. One breaking change: inspect() renames its locale field to from (see Changed).

Highlights

  • Attribute translation is now XSS-safe end to enddata-verbaly-attr runs URL attributes (href, src, action…) through the same safeHref guard as rich links and blocks style/srcdoc entirely. A malicious or compromised catalog can't inject scripts.
  • t() never crashes on bad format arguments — an invalid currency code ({v:currency/US}), date or time style now warns once and renders the plain value, matching how unit and relative already behaved.
  • createRequestInstance(locale) in virtual:verbaly — the SSR per-request pattern in one call: fresh instance, catalog awaited, no flash. SvelteKit today, Nuxt next.
  • The CLI fails loudly on misplaced flagsverbaly translate --locale es used to silently translate all locales; now it errors with "did you mean --locales?". Plus --dry-run for extract --prune.
  • normalizeLink() and resolveRequestLocale() in core — the link sanitizer and the cookie→Accept-Language negotiation now live once in core; every adapter and SSR integration shares them.
  • Breaking: instance.inspect(key) now returns { from, source } instead of { locale, source } — one name for one concept across the observability API (ResolveInfo.from).

For the full details of this release, see the repository changelog.