chore(deps): bump the production-dependencies group in /apps/web with 3 updates

[dependabot]

Bumps the production-dependencies group in /apps/web with 3 updates: i18next, i18next-http-backend and react-i18next.

Updates i18next from 26.0.6 to 26.0.8

Release notes

Sourced from i18next's releases.

v26.0.8

• fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

v26.0.7

• fix: when a plural lookup misses, the missingKey debug log now shows the actual plural-resolved key (e.g. foo.bar_many for Polish count: 14) instead of the base key — making it obvious which plural category was expected and missing 2423
• chore: drop @babel/runtime runtime dependency. The build no longer generates any @babel/runtime imports, so the package is unused by consumers. Rollup now uses babelHelpers: 'bundled' so any helpers that are ever needed in the future will be inlined rather than imported externally 2424
• chore: stop emitting dist/esm/i18next.bundled.js. It was byte-identical to dist/esm/i18next.js because no helpers were being imported 2424

Changelog

Sourced from i18next's changelog.

26.0.8

• fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

26.0.7

• fix: when a plural lookup misses, the missingKey debug log now shows the actual plural-resolved key (e.g. foo.bar_many for Polish count: 14) instead of the base key — making it obvious which plural category was expected and missing 2423
• chore: drop @babel/runtime runtime dependency. The build no longer generates any @babel/runtime imports, so the package is unused by consumers. Rollup now uses babelHelpers: 'bundled' so any helpers that are ever needed in the future will be inlined rather than imported externally 2424
• chore: stop emitting dist/esm/i18next.bundled.js. It was byte-identical to dist/esm/i18next.js because no helpers were being imported 2424

Commits

• 3ea438f 26.0.8
• 5176bbd retry version bump
• 10b48c6 26.0.8
• 9fdd99a retry version bump
• 9ee7da1 changelog
• 8ce5e26 26.0.8
• e802567 fix(types): restore ExistsFunction shape to keep arrow-function wrappers as...
• ce06fba 26.0.7
• ca33377 chore: drop unused @​babel/runtime dep and redundant bundled ESM output
• 8abe4e6 fix: show resolved plural key in missingKey debug log
• Additional commits viewable in compare view

Updates i18next-http-backend from 3.0.5 to 3.0.6

Changelog

Sourced from i18next-http-backend's changelog.

3.0.6

• fix: allow forward slashes in ns values so nested namespace names (mapping to URL layouts such as /locales/en/a/b.json) fetch correctly again. 3.0.5's security fix applied the same strict URL-segment check to both lng and ns, which was correct for lng (no BCP-47 shape contains /) but over-strict for ns — nested namespaces containing / were never officially supported, but the behaviour fell out of the implicit string-substitution semantics of loadPath and is common enough in the wild to be worth accommodating. isSafeUrlSegment is now split into isSafeLangUrlSegment (strict — still rejects /) and isSafeNsUrlSegment (loose — allows / but still rejects .., \, URL-structure characters, control chars, prototype keys, and oversized inputs). isSafeUrlSegment is kept as a backwards-compatible alias for the strict check. The 3.0.5 security fix remains in force for every concrete attack pattern from the original advisory.

Commits

• ddf1048 3.0.6
• d73cfdc fix: allow forward slashes in ns values
• 9abbdee Bump i18next-http-backend from 1.4.0 to 3.0.5 in /example/i18next-vue (#184)
• b4ca8bb Bump i18next-http-backend from 3.0.1 to 3.0.5 in /example/fallback (#183)
• dffddd4 Bump i18next-http-backend from 3.0.2 to 3.0.5 in /example/next (#182)
• fd29b40 Bump i18next-http-backend from 1.3.2 to 3.0.5 in /example/vue (#181)
• dc68dbe docs: link published GHSA advisory in v3.0.5 notes
• See full diff in compare view

Updates react-i18next from 17.0.4 to 17.0.6

Changelog

Sourced from react-i18next's changelog.

17.0.6

• fix: restore the v17 nodesToString output format consumed by i18next-cli's extractor while still rendering 1919 correctly
  • 17.0.5 fixed 1919 by changing what nodesToString produced, which inadvertently changed the extracted translation strings for keep-tags wrapping non-keep React elements
  • The fix now lives in the renderer: indexed <N> placeholders nested inside a keep-tag are scoped to that tag's own original React children (matching kept tags by name and positional occurrence at each level), so the translation string format produced by nodesToString is unchanged

17.0.5

• fix: <Trans /> no longer breaks child rendering when a kept HTML node (transKeepBasicHtmlNodesFor) wraps a non-keep React element 1919 — superseded by 17.0.6, which keeps the same runtime fix without changing the nodesToString output

Commits

• cb20d18 17.0.6
• b8ad5e4 fix: scope indexed placeholders inside keep-tags at render time #1919
• 75ce985 17.0.5
• 9803bb8 fix: <Trans /> no longer breaks child rendering when a kept HTML node (transK...
• ec37a48 chore: ignore .env*, *.pem, *.key in .gitignore
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[hessius]

Superseded — dependency bumped in version/2.4.0 (commit d9305a3).

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml