chore(deps): bump i18next-http-backend from 2.7.3 to 3.0.5

[dependabot]

Bumps i18next-http-backend from 2.7.3 to 3.0.5.

Changelog

Sourced from i18next-http-backend's changelog.

3.0.5

Security release — all issues found via an internal audit. See published advisory GHSA-q89c-q3h5-w34g.

• security: refuse to build request URLs when lng or ns values contain path-traversal, URL-structure (?, #, %, @, whitespace), path separators, control characters, prototype keys, or exceed 128 chars. Prevents path traversal / SSRF / URL injection via attacker-controlled language-code values. isSafeUrlSegment is permissive for legitimate i18next language codes (any BCP-47-like shape, underscores, hyphens, dots, +-joined multi-language requests) (GHSA-q89c-q3h5-w34g)
• security: per-instance omitFetchOptions — the fetch-options-stripping fallback is now scoped to a single backend instance via options._omitFetchOptions instead of a module-level boolean. One instance hitting a "not implemented" fetch error no longer permanently strips requestOptions (including credentials, mode, cache) from every other backend instance in the same process
• security: strip CR/LF/NUL and other C0/C1 control characters from lng/ns / URL values before they appear in error-callback strings (CWE-117 log forging)
• security: redact user:password credentials from URLs before including them in error-callback strings — prevents leaking basic-auth credentials embedded in loadPath / addPath
• security: iterate own enumerable keys only (Object.keys + prototype-key guard) in addQueryString and in the customHeaders loop in XHR mode — prevents prototype-pollution amplification into the URL and request headers
• chore: ignore .env* and *.pem/*.key files in .gitignore

3.0.4

• use own interpolation function for loadPath and addPath instead of relying on i18next's interpolator i18next#2420 — this means only {{lng}} and {{ns}} placeholders are supported; custom interpolation prefix/suffix from i18next config no longer applies to backend paths

3.0.2

• optimize fetchApi selector

3.0.1

• try to get rid of top-level await

3.0.0

• fix for Deno 2 and removal of unnecessary .cjs file
• for esm build environments not supporting top-level await, you should import the i18next-http-backend/cjs export or stay at v2.6.2 or v2.7.1

Commits

• 5757fa3 3.0.5
• 4cee84f security: hardening for 3.0.5
• 4cbc487 Bump next from 16.2.1 to 16.2.3 in /example/next (#180)
• 0d7dcbb make last change more clear
• c740e01 year
• e1dc72b changelog fix
• 4dbb485 3.0.4
• 5f33a0c use own interpolation function for loadPath and addPath instead of relying on...
• 681c09d update ci actions
• e63ff16 adjust deno test
• Additional commits viewable in compare view

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	meet-web	a65c612	Commit Preview URL Branch Preview URL	May 20 2026, 09:13 AM

[github-actions]

Deploying meet-web with    Cloudflare Pages

Latest commit:	a65c612
Status:	❌  Deploy failed!
Updated (Europe/Madrid):	20/5/2026, 11:12:19