Skip to content

chore: bump the npm-major group across 1 directory with 16 updates#1025

Open
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/npm-major-a00e25e7cb
Open

chore: bump the npm-major group across 1 directory with 16 updates#1025
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/npm-major-a00e25e7cb

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 4, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-major group with 16 updates in the / directory:

Package From To
i18next 25.10.10 26.3.3
i18next-http-backend 2.7.3 4.0.0
matrix-js-sdk 38.4.0 41.8.0
react 18.3.1 19.2.7
@types/react 18.3.31 19.2.17
react-dom 18.3.1 19.2.7
@types/react-dom 18.3.7 19.2.3
react-i18next 16.6.6 17.0.8
react-leaflet 4.2.1 5.0.0
react-router-dom 6.30.4 7.18.0
@types/node 24.13.2 26.0.1
@vitejs/plugin-react 5.2.0 6.0.3
typescript 5.9.3 6.0.3
vite 7.3.5 8.1.0
vite-plugin-static-copy 3.4.0 4.1.1
vite-plugin-svgr 4.5.0 5.2.0

Updates i18next from 25.10.10 to 26.3.3

Release notes

Sourced from i18next's releases.

v26.3.3

  • fix(types): selector t($ => $.arr, { returnObjects: true, context }) on a JSON array of heterogeneous objects now preserves each element's full shape (e.g. { transKey1: string; transKey2: string }[]) instead of collapsing to a union of partial element types. Two type-level causes: (1) FilterKeys evaluated the whole array element type at once, so keyof (A | B) only saw the keys common to every element — it now distributes over the object union and filters each element independently; (2) when TypeScript merges mismatched array element types it injects phantom optional undefined keys (e.g. transKey1_withContext?: undefined on elements that don't define it), which the context-detection helpers mistook for real context variants — they now skip keys typed as undefined. Also adds a dedicated context + returnObjects: true selector overload using const Fn + ReturnType<Fn>, so Target is no longer collapsed to unknown via ApplyTarget. Resolves Problem 1 of #2398 (Problem 2 was already fixed on master). Thanks @​sauravgupta-dotcom (#2438). Fixes #2398.

v26.3.2

  • fix: chained formatters with a parenthesised option that contains the format separator (e.g. join(separator: ', ')) now work at any position in the chain, not just first. Previously the comma-in-parens reassembly only repaired formats[0], so {{v, uppercase, join(separator: ', ')}} split the join(...) option on the inner comma and never rejoined it, producing corrupt output. Replaced the first-position-only repair with a position-independent pass that re-joins fragments until each open paren closes. Thanks @​spokodev (#2437).

v26.3.1

  • fix(types): t() with a keyPrefix no longer pollutes its return type with sibling keys' values. A regression in 26.3.0 — the [Res] extends [never] guards added to KeysBuilderWithReturnObjects / KeysBuilderWithoutReturnObjects turned the builders into deferred conditional types, so KeyPrefix<Ns> stopped resolving to a literal union and keyPrefix inference widened to the whole namespace. Symptom: useTranslation(ns, { keyPrefix: 'a.b' }) then t('title') would resolve to '<a.b>.title' | '<other.path>.title' | ... instead of just the scoped value. Affected every react-i18next user using keyPrefix. Restored to the eager 26.2.0 form. The same-namespace conflict handling from #2434 still works via _DropConflictKeys at the merge layer (in options.d.ts). Thanks @​aaronrosenthal (#2436).

v26.3.0

  • feat(types): introduce ResourceNamespaceMap — a separate mergeable augmentation surface for namespace resource types, designed for monorepos where multiple packages each want to contribute their own namespaces. Previously, every package had to coordinate on a single CustomTypeOptions.resources declaration (or fall back to typing dependency namespaces as any) because resources is a single property of an interface and TypeScript reports TS2717 when two declarations of the same property disagree. The new interface merges naturally across declare module 'i18next' blocks, so each package can ship its own i18next.d.ts independently. Per-property merge handles same-namespace contributions from multiple packages, and same-key/different-literal conflicts are silently dropped to avoid poisoning t() overload resolution. Fully backwards-compatible — existing CustomTypeOptions.resources augmentations continue to work, and both surfaces can coexist. Scalar options (defaultNS, returnNull, enableSelector, etc.) still belong on CustomTypeOptions. Thanks @​sh3xu (#2434). Fixes #2409.

v26.2.0

  • feat(types): new parseInterpolation TypeOption (default true). When set to false in CustomTypeOptions, the type-level extractor stops parsing translation strings for {{variable}} patterns. Required by i18next-icu users — the default extractor mistakes ICU MessageFormat nested-brace plurals like {count, plural, one {{count} row} other {{count} rows}} for an interpolation block and demands a phantom variable name. The flag is type-only; runtime interpolation is governed by InterpolationOptions and is unaffected. Fixes i18next-icu#85.
  • fix(types): expose enableSelector on InitOptions so i18next.init({ enableSelector: 'strict' }) typechecks without a module augmentation. The runtime already reads opts?.enableSelector from init options; this lands the matching type declaration next to the other selector-resolution knobs. Accepts false | true | 'optimize' | 'strict'. Thanks @​Faithfinder (#2431)

v26.1.0

  • feat: enableSelector: 'strict' (TypeOptions + runtime option). Opt-in mode that drops the flattened-primary form from NsResource at the type level — every namespace (primary included) is exposed only under its own key on $, uniformly across single- and multi-ns hooks. At runtime, a leading selector path segment matching the scope's namespace list is always rewritten as a namespace prefix, including the primary. Eliminates the silent-miss surface area where t($ => $.primary.foo) typechecks but doesn't resolve under the default mode (see #2429). Backward-compatible: default enableSelector: false | true | 'optimize' behavior is unchanged. Note: strict mode is incompatible with the #2405 pattern (keys whose names match sibling namespaces) — those users should stay on default mode.

v26.0.10

  • feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

v26.0.9

  • fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

v26.0.8

  • fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

v26.0.7

  • fix: when a plural lookup misses, the missingKey debug log now shows the actual plural-resolved key (e.g. foo.bar_many for Polish count: 14) instead of the base key — making it obvious which plural category was expected and missing 2423
  • chore: drop @babel/runtime runtime dependency. The build no longer generates any @babel/runtime imports, so the package is unused by consumers. Rollup now uses babelHelpers: 'bundled' so any helpers that are ever needed in the future will be inlined rather than imported externally 2424
  • chore: stop emitting dist/esm/i18next.bundled.js. It was byte-identical to dist/esm/i18next.js because no helpers were being imported 2424

v26.0.6

Security release — all issues found via an internal audit. GHSA advisory filed after release.

  • security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security docs for mitigation guidance (GHSA-TBD)
  • security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
  • security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)
  • chore: ignore .env* and *.pem/*.key files in .gitignore

v26.0.5

  • fix: cloneInstance().changeLanguage() no longer fails to update language state when the target language is not yet loaded — a race between init()'s deferred load() and the user's changeLanguage() could overwrite isLanguageChangingTo, causing setLngProps to be skipped 2422

v26.0.4

  • fix(types): inline formatting options like {{price, currency(EUR)}} are now correctly resolved to their base format type (e.g. number for currency) instead of falling back to string 2378

v26.0.3

  • fix(types): addResourceBundle now accepts an optional 6th options parameter ({ silent?: boolean; skipCopy?: boolean }) matching the runtime API 2419

... (truncated)

Changelog

Sourced from i18next's changelog.

26.3.3

  • fix(types): selector t($ => $.arr, { returnObjects: true, context }) on a JSON array of heterogeneous objects now preserves each element's full shape (e.g. { transKey1: string; transKey2: string }[]) instead of collapsing to a union of partial element types. Two type-level causes: (1) FilterKeys evaluated the whole array element type at once, so keyof (A | B) only saw the keys common to every element — it now distributes over the object union and filters each element independently; (2) when TypeScript merges mismatched array element types it injects phantom optional undefined keys (e.g. transKey1_withContext?: undefined on elements that don't define it), which the context-detection helpers mistook for real context variants — they now skip keys typed as undefined. Also adds a dedicated context + returnObjects: true selector overload using const Fn + ReturnType<Fn>, so Target is no longer collapsed to unknown via ApplyTarget. Resolves Problem 1 of #2398 (Problem 2 was already fixed on master). Thanks @​sauravgupta-dotcom (#2438). Fixes #2398.

26.3.2

  • fix: chained formatters with a parenthesised option that contains the format separator (e.g. join(separator: ', ')) now work at any position in the chain, not just first. Previously the comma-in-parens reassembly only repaired formats[0], so {{v, uppercase, join(separator: ', ')}} split the join(...) option on the inner comma and never rejoined it, producing corrupt output. Replaced the first-position-only repair with a position-independent pass that re-joins fragments until each open paren closes. Thanks @​spokodev (#2437).

26.3.1

  • fix(types): t() with a keyPrefix no longer pollutes its return type with sibling keys' values. A regression in 26.3.0 — the [Res] extends [never] guards added to KeysBuilderWithReturnObjects / KeysBuilderWithoutReturnObjects turned the builders into deferred conditional types, so KeyPrefix<Ns> stopped resolving to a literal union and keyPrefix inference widened to the whole namespace. Symptom: useTranslation(ns, { keyPrefix: 'a.b' }) then t('title') would resolve to '<a.b>.title' | '<other.path>.title' | ... instead of just the scoped value. Affected every react-i18next user using keyPrefix. Restored to the eager 26.2.0 form. The same-namespace conflict handling from #2434 still works via _DropConflictKeys at the merge layer (in options.d.ts). Thanks @​aaronrosenthal (#2436).

26.3.0

  • feat(types): introduce ResourceNamespaceMap — a separate mergeable augmentation surface for namespace resource types, designed for monorepos where multiple packages each want to contribute their own namespaces. Previously, every package had to coordinate on a single CustomTypeOptions.resources declaration (or fall back to typing dependency namespaces as any) because resources is a single property of an interface and TypeScript reports TS2717 when two declarations of the same property disagree. The new interface merges naturally across declare module 'i18next' blocks, so each package can ship its own i18next.d.ts independently. Per-property merge handles same-namespace contributions from multiple packages, and same-key/different-literal conflicts are silently dropped to avoid poisoning t() overload resolution. Fully backwards-compatible — existing CustomTypeOptions.resources augmentations continue to work, and both surfaces can coexist. Scalar options (defaultNS, returnNull, enableSelector, etc.) still belong on CustomTypeOptions. Thanks @​sh3xu (#2434). Fixes #2409.

26.2.0

  • feat(types): new parseInterpolation TypeOption (default true). When set to false in CustomTypeOptions, the type-level extractor stops parsing translation strings for {{variable}} patterns. Required by i18next-icu users — the default extractor mistakes ICU MessageFormat nested-brace plurals like {count, plural, one {{count} row} other {{count} rows}} for an interpolation block and demands a phantom variable name. The flag is type-only; runtime interpolation is governed by InterpolationOptions and is unaffected. Fixes i18next-icu#85.
  • fix(types): expose enableSelector on InitOptions so i18next.init({ enableSelector: 'strict' }) typechecks without a module augmentation. The runtime already reads opts?.enableSelector from init options; this lands the matching type declaration next to the other selector-resolution knobs. Accepts false | true | 'optimize' | 'strict'. Thanks @​Faithfinder (#2431)

26.1.0

  • feat: enableSelector: 'strict' (TypeOptions + runtime option). Opt-in mode that drops the flattened-primary form from NsResource at the type level — every namespace (primary included) is exposed only under its own key on $, uniformly across single- and multi-ns hooks. At runtime, a leading selector path segment matching the scope's namespace list is always rewritten as a namespace prefix, including the primary. Eliminates the silent-miss surface area where t($ => $.primary.foo) typechecks but doesn't resolve under the default mode (see #2429). Backward-compatible: default enableSelector: false | true | 'optimize' behavior is unchanged. Note: strict mode is incompatible with the #2405 pattern (keys whose names match sibling namespaces) — those users should stay on default mode.

26.0.10

  • feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

26.0.9

  • fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

26.0.8

  • fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

26.0.7

  • fix: when a plural lookup misses, the missingKey debug log now shows the actual plural-resolved key (e.g. foo.bar_many for Polish count: 14) instead of the base key — making it obvious which plural category was expected and missing 2423
  • chore: drop @babel/runtime runtime dependency. The build no longer generates any @babel/runtime imports, so the package is unused by consumers. Rollup now uses babelHelpers: 'bundled' so any helpers that are ever needed in the future will be inlined rather than imported externally 2424
  • chore: stop emitting dist/esm/i18next.bundled.js. It was byte-identical to dist/esm/i18next.js because no helpers were being imported 2424

26.0.6

Security release — all issues found via an internal audit.

  • security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security note in the Nesting docs for the full pattern and mitigations
  • security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
  • security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)

... (truncated)

Commits

Updates i18next-http-backend from 2.7.3 to 4.0.0

Changelog

Sourced from i18next-http-backend's changelog.

4.0.0

  • BREAKING: drop cross-fetch dependency. i18next-http-backend now requires a host-provided fetch. This is available in Node ≥ 18 (stable since Node 21), all modern browsers, Deno, and Bun. For runtimes without native fetch, install a ponyfill yourself and inject it via options.alternateFetch, or stay on v3.x.
  • BREAKING: minimum Node version is now 18 (engines.node = ">=18").
  • chore: simplified environment detection in lib/request.js — uses globalThis (with global / window fallbacks for legacy embedded runtimes) instead of separate global.* / window.* branches per API. XHR / ActiveXObject are still picked up if the host provides them, but no longer polyfilled.
  • chore: declared "sideEffects": false for better tree-shaking by downstream bundlers.
  • build: replaced babel + browserify + uglify-js with tsdown (rolldown + oxc). One config produces ESM, CJS, and the IIFE browser bundles. Drops @babel/cli, @babel/core, @babel/preset-env, babel-plugin-add-module-exports, browserify, uglify-js, the fixcjs rewrite hack, and the --ignore cross-fetch browserify flag. Side benefit: minified browser bundle shrinks from ~13 KB to ~6.8 KB (oxc minifier + no babel runtime helpers).
  • build: ESM and CJS outputs are now bundled into a single index.js per format (previously one file per lib/*.js module). The package's exports map is unchanged, so this is invisible to consumers using documented entry points.
  • lint: replaced eslint-config-standard (+ five plugins) with neostandard and migrated to ESLint 9 flat config (eslint.config.mjs). Removed deprecated tslint and dtslinttest:typescript now runs tsc --noEmit plus tsd.
  • chore: tightened .npmignore — published tarball no longer includes the source lib/, the build configs (tsdown.config.ts, eslint.config.mjs, tsconfig.json), or the root index.js re-export shim. Drops from 21.3 KB → ~17 KB packed.
  • docs: alternateFetch is now documented in the README options block as the supported escape hatch for fetch ponyfills, test mocking, and request interception. v4 migration note added to "Getting started".

3.0.6

  • fix: allow forward slashes in ns values so nested namespace names (mapping to URL layouts such as /locales/en/a/b.json) fetch correctly again. 3.0.5's security fix applied the same strict URL-segment check to both lng and ns, which was correct for lng (no BCP-47 shape contains /) but over-strict for ns — nested namespaces containing / were never officially supported, but the behaviour fell out of the implicit string-substitution semantics of loadPath and is common enough in the wild to be worth accommodating. isSafeUrlSegment is now split into isSafeLangUrlSegment (strict — still rejects /) and isSafeNsUrlSegment (loose — allows / but still rejects .., \, URL-structure characters, control chars, prototype keys, and oversized inputs). isSafeUrlSegment is kept as a backwards-compatible alias for the strict check. The 3.0.5 security fix remains in force for every concrete attack pattern from the original advisory.

3.0.5

Security release — all issues found via an internal audit. See published advisory GHSA-q89c-q3h5-w34g.

  • security: refuse to build request URLs when lng or ns values contain path-traversal, URL-structure (?, #, %, @, whitespace), path separators, control characters, prototype keys, or exceed 128 chars. Prevents path traversal / SSRF / URL injection via attacker-controlled language-code values. isSafeUrlSegment is permissive for legitimate i18next language codes (any BCP-47-like shape, underscores, hyphens, dots, +-joined multi-language requests) (GHSA-q89c-q3h5-w34g)
  • security: per-instance omitFetchOptions — the fetch-options-stripping fallback is now scoped to a single backend instance via options._omitFetchOptions instead of a module-level boolean. One instance hitting a "not implemented" fetch error no longer permanently strips requestOptions (including credentials, mode, cache) from every other backend instance in the same process
  • security: strip CR/LF/NUL and other C0/C1 control characters from lng/ns / URL values before they appear in error-callback strings (CWE-117 log forging)
  • security: redact user:password credentials from URLs before including them in error-callback strings — prevents leaking basic-auth credentials embedded in loadPath / addPath
  • security: iterate own enumerable keys only (Object.keys + prototype-key guard) in addQueryString and in the customHeaders loop in XHR mode — prevents prototype-pollution amplification into the URL and request headers
  • chore: ignore .env* and *.pem/*.key files in .gitignore

3.0.4

  • use own interpolation function for loadPath and addPath instead of relying on i18next's interpolator i18next#2420 — this means only {{lng}} and {{ns}} placeholders are supported; custom interpolation prefix/suffix from i18next config no longer applies to backend paths

3.0.2

  • optimize fetchApi selector

3.0.1

  • try to get rid of top-level await

3.0.0

  • fix for Deno 2 and removal of unnecessary .cjs file
  • for esm build environments not supporting top-level await, you should import the i18next-http-backend/cjs export or stay at v2.6.2 or v2.7.1
Commits
  • a4d4a83 4.0.0
  • fdf4f98 feat!: v4 — drop cross-fetch, switch build to tsdown, lint to neostandard
  • d8dafd8 docs: clarify that nested-ns with slashes was never officially supported
  • e534a62 build
  • ddf1048 3.0.6
  • d73cfdc fix: allow forward slashes in ns values
  • 9abbdee Bump i18next-http-backend from 1.4.0 to 3.0.5 in /example/i18next-vue (#184)
  • b4ca8bb Bump i18next-http-backend from 3.0.1 to 3.0.5 in /example/fallback (#183)
  • dffddd4 Bump i18next-http-backend from 3.0.2 to 3.0.5 in /example/next (#182)
  • fd29b40 Bump i18next-http-backend from 1.3.2 to 3.0.5 in /example/vue (#181)
  • Additional commits viewable in compare view

Updates matrix-js-sdk from 38.4.0 to 41.8.0

Release notes

Sourced from matrix-js-sdk's releases.

v41.8.0

✨ Features

  • MatrixRTC: Preserve original error as cause when wrapping in scheduler (#5363). Contributed by @​fkwp.
  • Add mechanism to locally enforce MSC1763 retention rules (#5353). Contributed by @​Half-Shot.

🐛 Bug Fixes

  • Fall back to local indexeddb backend when worker fails to start (#5361). Contributed by @​t3chguy.

v41.8.0-rc.0

✨ Features

  • MatrixRTC: Preserve original error as cause when wrapping in scheduler (#5363). Contributed by @​fkwp.
  • Add mechanism to locally enforce MSC1763 retention rules (#5353). Contributed by @​Half-Shot.

🐛 Bug Fixes

  • Fall back to local indexeddb backend when worker fails to start (#5361). Contributed by @​t3chguy.

v41.7.0

✨ Features

🐛 Bug Fixes

  • [Backport staging] SECURITY: Update matrix-sdk-crypto-wasm to v18.3.1 (#5356). Contributed by @​RiotRobot.
  • fix(MatrixRTCSession): replace no-arg .finally() with .then(fn, fn) to fix crash on React Native / Hermes (#5307). Contributed by @​JeanLuX.

v41.7.0-rc.3

✨ Features

🐛 Bug Fixes

  • [Backport staging] SECURITY: Update matrix-sdk-crypto-wasm to v18.3.1 (#5356). Contributed by @​RiotRobot.
  • fix(MatrixRTCSession): replace no-arg .finally() with .then(fn, fn) to fix crash on React Native / Hermes (#5307). Contributed by @​JeanLuX.

v41.7.0-rc.2

✨ Features

🐛 Bug Fixes

  • fix(MatrixRTCSession): replace no-arg .finally() with .then(fn, fn) to fix crash on React Native / Hermes (#5307). Contributed by @​JeanLuX.

v41.7.0-rc.1

... (truncated)

Changelog

Sourced from matrix-js-sdk's changelog.

Changes in 41.8.0 (2026-06-23)

✨ Features

  • MatrixRTC: Preserve original error as cause when wrapping in scheduler (#5363). Contributed by @​fkwp.
  • Add mechanism to locally enforce MSC1763 retention rules (#5353). Contributed by @​Half-Shot.

🐛 Bug Fixes

  • Fall back to local indexeddb backend when worker fails to start (#5361). Contributed by @​t3chguy.

Changes in 41.7.0 (2026-06-09)

✨ Features

🐛 Bug Fixes

  • [Backport staging] SECURITY: Update matrix-sdk-crypto-wasm to v18.3.1 (#5356). Contributed by @​RiotRobot.
  • fix(MatrixRTCSession): replace no-arg .finally() with .then(fn, fn) to fix crash on React Native / Hermes (#5307). Contributed by @​JeanLuX.

Changes in 41.6.0 (2026-05-26)

🐛 Bug Fixes

  • Throw sane error on completeLoginOnNewDevice IdP rejection (#5321). Contributed by @​t3chguy.

Changes in 41.5.0 (2026-05-12)

✨ Features

Changes in 41.4.0 (2026-04-28)

✨ Features

  • Handle secret pushing for key backups (#5189). Contributed by @​uhoreg.
  • Add support for m.recent_emoji account data event (#5280). Contributed by @​t3chguy.
  • Adapt LiveKit Identity hash calculation to latest MSC4195 update (#5268). Contributed by @​fkwp.

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for matrix-js-sdk since your current version.


Updates react from 18.3.1 to 19.2.7

Release notes

Sourced from react's releases.

19.2.7 (June 1st, 2026)

React Server Components

19.2.6 (May 6th, 2026)

React Server Components

19.2.5 (April 8th, 2026)

React Server Components

19.2.4 (January 26th, 2026)

React Server Components

19.2.3 (December 11th, 2025)

React Server Components

19.2.2 (December 11th, 2025)

React Server Components

19.2.1 (December 3rd, 2025)

React Server Components

19.2.0 (Oct 1, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

... (truncated)

Changelog

Sourced from react's changelog.

19.2.7 (June 1, 2026)

React Server Components

19.2.6 (May 6, 2026)

React Server Components

19.2.5 (March 18, 2026)

React Server Components

19.2.4 (Jan 26, 2026)

React Server Components

19.2.3 (Dec 11, 2025)

React Server Components

19.2.2 (Dec 11, 2025)

React Server Components

19.2.1 (Dec 3, 2025)

React Server Components

19.2.0 (October 1st, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react since your current version.


Updates @types/react from 18.3.31 to 19.2.17

Commits

Updates react-dom from 18.3.1 to 19.2.7

Release notes

Sourced from react-dom's releases.

19.2.7 (June 1st, 2026)

React Server Components

19.2.6 (May 6th, 2026)

React Server Components

19.2.5 (April 8th, 2026)

React Server Components

19.2.4 (January 26th, 2026)

React Server Components

19.2.3 (December 11th, 2025)

React Server Components

19.2.2 (December 11th, 2025)

React Server Components

19.2.1 (December 3rd, 2025)

React Server Components

19.2.0 (Oct 1, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets ...

    Description has been truncated

@dependabot dependabot Bot added the internal label Jul 4, 2026
@dependabot dependabot Bot requested review from 7w1 and hazre as code owners July 4, 2026 05:20
@dependabot dependabot Bot added the internal label Jul 4, 2026
Bumps the npm-major group with 16 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [i18next](https://github.com/i18next/i18next) | `25.10.10` | `26.3.3` |
| [i18next-http-backend](https://github.com/i18next/i18next-http-backend) | `2.7.3` | `4.0.0` |
| [matrix-js-sdk](https://github.com/matrix-org/matrix-js-sdk) | `38.4.0` | `41.8.0` |
| [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `18.3.1` | `19.2.7` |
| [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `18.3.31` | `19.2.17` |
| [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `18.3.1` | `19.2.7` |
| [@types/react-dom](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react-dom) | `18.3.7` | `19.2.3` |
| [react-i18next](https://github.com/i18next/react-i18next) | `16.6.6` | `17.0.8` |
| [react-leaflet](https://github.com/PaulLeCam/react-leaflet) | `4.2.1` | `5.0.0` |
| [react-router-dom](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom) | `6.30.4` | `7.18.0` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `24.13.2` | `26.0.1` |
| [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react) | `5.2.0` | `6.0.3` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.9.3` | `6.0.3` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `7.3.5` | `8.1.0` |
| [vite-plugin-static-copy](https://github.com/sapphi-red/vite-plugin-static-copy) | `3.4.0` | `4.1.1` |
| [vite-plugin-svgr](https://github.com/pd4d10/vite-plugin-svgr) | `4.5.0` | `5.2.0` |



Updates `i18next` from 25.10.10 to 26.3.3
- [Release notes](https://github.com/i18next/i18next/releases)
- [Changelog](https://github.com/i18next/i18next/blob/master/CHANGELOG.md)
- [Commits](i18next/i18next@v25.10.10...v26.3.3)

Updates `i18next-http-backend` from 2.7.3 to 4.0.0
- [Changelog](https://github.com/i18next/i18next-http-backend/blob/master/CHANGELOG.md)
- [Commits](i18next/i18next-http-backend@v2.7.3...v4.0.0)

Updates `matrix-js-sdk` from 38.4.0 to 41.8.0
- [Release notes](https://github.com/matrix-org/matrix-js-sdk/releases)
- [Changelog](https://github.com/matrix-org/matrix-js-sdk/blob/develop/CHANGELOG.md)
- [Commits](matrix-org/matrix-js-sdk@v38.4.0...v41.8.0)

Updates `react` from 18.3.1 to 19.2.7
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react)

Updates `@types/react` from 18.3.31 to 19.2.17
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

Updates `react-dom` from 18.3.1 to 19.2.7
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react-dom)

Updates `@types/react-dom` from 18.3.7 to 19.2.3
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react-dom)

Updates `react-i18next` from 16.6.6 to 17.0.8
- [Changelog](https://github.com/i18next/react-i18next/blob/master/CHANGELOG.md)
- [Commits](i18next/react-i18next@v16.6.6...v17.0.8)

Updates `react-leaflet` from 4.2.1 to 5.0.0
- [Release notes](https://github.com/PaulLeCam/react-leaflet/releases)
- [Changelog](https://github.com/PaulLeCam/react-leaflet/blob/master/CHANGELOG.md)
- [Commits](PaulLeCam/react-leaflet@v4.2.1...v5.0.0)

Updates `react-router-dom` from 6.30.4 to 7.18.0
- [Release notes](https://github.com/remix-run/react-router/releases)
- [Changelog](https://github.com/remix-run/react-router/blob/react-router-dom@7.18.0/packages/react-router-dom/CHANGELOG.md)
- [Commits](https://github.com/remix-run/react-router/commits/react-router-dom@7.18.0/packages/react-router-dom)

Updates `@types/node` from 24.13.2 to 26.0.1
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `@types/react` from 18.3.31 to 19.2.17
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

Updates `@types/react-dom` from 18.3.7 to 19.2.3
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react-dom)

Updates `@vitejs/plugin-react` from 5.2.0 to 6.0.3
- [Release notes](https://github.com/vitejs/vite-plugin-react/releases)
- [Changelog](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite-plugin-react/commits/plugin-react@6.0.3/packages/plugin-react)

Updates `typescript` from 5.9.3 to 6.0.3
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Commits](microsoft/TypeScript@v5.9.3...v6.0.3)

Updates `vite` from 7.3.5 to 8.1.0
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/create-vite@8.1.0/packages/vite)

Updates `vite-plugin-static-copy` from 3.4.0 to 4.1.1
- [Release notes](https://github.com/sapphi-red/vite-plugin-static-copy/releases)
- [Changelog](https://github.com/sapphi-red/vite-plugin-static-copy/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sapphi-red/vite-plugin-static-copy/compare/vite-plugin-static-copy@3.4.0...vite-plugin-static-copy@4.1.1)

Updates `vite-plugin-svgr` from 4.5.0 to 5.2.0
- [Release notes](https://github.com/pd4d10/vite-plugin-svgr/releases)
- [Commits](pd4d10/vite-plugin-svgr@v4.5.0...v5.2.0)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 26.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm-major
- dependency-name: "@types/react"
  dependency-version: 19.2.17
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm-major
- dependency-name: "@types/react"
  dependency-version: 19.2.17
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm-major
- dependency-name: "@types/react-dom"
  dependency-version: 19.2.3
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm-major
- dependency-name: "@types/react-dom"
  dependency-version: 19.2.3
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm-major
- dependency-name: "@vitejs/plugin-react"
  dependency-version: 6.0.3
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm-major
- dependency-name: i18next
  dependency-version: 26.3.3
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm-major
- dependency-name: i18next-http-backend
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm-major
- dependency-name: matrix-js-sdk
  dependency-version: 41.8.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm-major
- dependency-name: react
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm-major
- dependency-name: react-dom
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm-major
- dependency-name: react-i18next
  dependency-version: 17.0.8
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm-major
- dependency-name: react-leaflet
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm-major
- dependency-name: react-router-dom
  dependency-version: 7.18.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm-major
- dependency-name: typescript
  dependency-version: 6.0.3
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm-major
- dependency-name: vite
  dependency-version: 8.1.0
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm-major
- dependency-name: vite-plugin-static-copy
  dependency-version: 4.1.1
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm-major
- dependency-name: vite-plugin-svgr
  dependency-version: 5.2.0
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm-major-a00e25e7cb branch from 59516ae to b51acdb Compare July 6, 2026 01:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants