chore(deps): bump i18next-fs-backend from 2.6.1 to 2.6.4

[dependabot]

Bumps i18next-fs-backend from 2.6.1 to 2.6.4.

Changelog

Sourced from i18next-fs-backend's changelog.

2.6.4

Security release — all issues found via an internal audit. See published advisory GHSA-8847-338w-5hcj.

• security: refuse to build filesystem paths when lng or ns values contain .., path separators (/, \), control characters, prototype keys (__proto__ / constructor / prototype), or exceed 128 chars. Prevents arbitrary filesystem read / write via attacker-controlled language-code values. Any legitimate i18next language-code shape (BCP-47-like, underscores, hyphens, dots, +-joined multi-language requests) is still accepted (GHSA-8847-338w-5hcj)
• docs: new "Security considerations" README section — documents the filesystem-path sanitiser and clarifies the trust model around .js/.ts locale files (their content is eval-ed, so they must be treated as code). The eval behaviour itself is retained: dynamic expressions in .js/.ts locale files are an intentional feature, and safe replacements like import() are async-only and not viable for this sync-capable code path.
• chore: ignore .env* and *.pem/*.key files in .gitignore.

2.6.3

• use own interpolation function instead of relying on i18next's interpolator

Commits

• 7f62307 2.6.4
• adf8a30 security: hardening for 2.6.4
• 3bd0132 update deps
• fd1616f Bump fastify from 5.3.2 to 5.8.5 in /example/fastify (#67)
• 8b6a5ba 2.6.3
• 957635d use own interpolation function
• 2771083 2.6.2
• 2cd2c20 use own interpolation function
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
commandkit	Ready	Preview, Comment	Apr 23, 2026 4:23am