Skip to content

Update dependency @intlify/core to v11.1.10 [SECURITY] #5511

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
openverse-bot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency @intlify/core to v11.1.10 [SECURITY] #5511

openverse-bot wants to merge 1 commit into from
+202 −195

Conversation

@openverse-bot
Copy link
Collaborator

@openverse-bot openverse-bot commented Nov 17, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
@intlify/core (source) devDependencies minor 11.0.1 -> 11.1.10

GitHub Vulnerability Alerts

CVE-2025-53892

Summary

The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html.

This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html.

Details

When escapeParameterHtml: true is enabled, it correctly escapes common injection points.

However, it does not sanitize entire attribute contexts, which can be used as XSS vectors via:

<img src=x onerror=alert(1)>

PoC

In your Vue I18n configuration:

const i18n = createI18n({
  escapeParameterHtml: true,
  messages: {
    en: {
      vulnerable: 'Caution: <img src=x onerror="{payload}">'
    }
  }
});

Use this interpolated payload:

const payload = '<script>alert("xss")</script>';
Render the translation using v-html (even not using v-html):

<p v-html="$t('vulnerable', { payload })"></p>
Expected: escaped content should render as text, not execute.

Actual: script executes in some environments (or the payload is partially parsed as HTML).

Impact

This creates a DOM-based Cross-Site Scripting (XSS) vulnerability despite enabling a security option (escapeParameterHtml) .

Release Notes

intlify/vue-i18n (@​intlify/core)

v11.1.10

Compare Source

🔒 Security Fixes
  • fix: DOM-based XSS via tag attributes for escape parameter, about details see GHSA-x8qp-wqqm-57ph

Full Changelog: intlify/vue-i18n@v11.1.9...v11.1.10

v11.1.9

Compare Source

Full Changelog: intlify/vue-i18n@v11.1.8...v11.1.9

v11.1.8

Compare Source

What's Changed
⚡ Improvement Features

Full Changelog: intlify/vue-i18n@v11.1.7...v11.1.8

v11.1.7

Compare Source

What's Changed
🐛 Bug Fixes

Full Changelog: intlify/vue-i18n@v11.1.6...v11.1.7

v11.1.6

Compare Source

What's Changed
⚡ Improvement Features

Full Changelog: intlify/vue-i18n@v11.1.5...v11.1.6

v11.1.5

Compare Source

What's Changed
🐛 Bug Fixes

Full Changelog: intlify/vue-i18n@v11.1.4...v11.1.5

v11.1.4

Compare Source

What's Changed
🌟 Features
⚡ Improvement Features

Full Changelog: intlify/vue-i18n@v11.1.3...v11.1.4

v11.1.3

Compare Source

What's Changed
🐛 Bug Fixes
⚡ Improvement Features

Full Changelog: intlify/vue-i18n@v11.1.2...v11.1.3

v11.1.2

Compare Source

What's Changed

🔒 Security Fixes

Full Changelog: intlify/vue-i18n@v11.1.1...v11.1.2

v11.1.1

Compare Source

Full Changelog: intlify/vue-i18n@v11.1.0...v11.1.1

v11.1.0

Compare Source

What's Changed

🌟 Features
📝️ Documentations

Full Changelog: intlify/vue-i18n@v11.0.1...v11.1.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled because a matching PR was automerged previously.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@openverse-bot openverse-bot requested a review from a team as a code owner November 17, 2025 12:13
@openverse-bot openverse-bot added dependencies Pull requests that update a dependency file 💻 aspect: code Concerns the software code in the repository 🟨 tech: javascript Involves JavaScript 🟩 priority: low Low priority and doesn't need to be rushed 🧰 goal: internal improvement Improvement that benefits maintainers, not users 🧱 stack: frontend Related to the Nuxt frontend labels Nov 17, 2025
@openverse-bot openverse-bot added 🟩 priority: low Low priority and doesn't need to be rushed 💻 aspect: code Concerns the software code in the repository dependencies Pull requests that update a dependency file 🧰 goal: internal improvement Improvement that benefits maintainers, not users 🟨 tech: javascript Involves JavaScript 🧱 stack: frontend Related to the Nuxt frontend labels Nov 17, 2025
@openverse-bot openverse-bot moved this to 👀 Needs Review in Openverse PRs Nov 17, 2025
@github-actions
Copy link

github-actions bot commented Nov 17, 2025
edited
Loading

Latest k6 run output1

     ✓ status was 200

     checks.........................: 100.00% ✓ 414      ✗ 0   
     data_received..................: 99 MB   409 kB/s
     data_sent......................: 54 kB   224 B/s
     http_req_blocked...............: avg=55.83µs  min=2.14µs   med=5.14µs   max=1.32ms   p(90)=154.09µs p(95)=235.57µs
     http_req_connecting............: avg=36.91µs  min=0s       med=0s       max=1.28ms   p(90)=100.62µs p(95)=162.38µs
     http_req_duration..............: avg=162.08ms min=16.15ms  med=108.99ms max=1.04s    p(90)=363.55ms p(95)=441.13ms
       { expected_response:true }...: avg=162.08ms min=16.15ms  med=108.99ms max=1.04s    p(90)=363.55ms p(95)=441.13ms
   ✓ http_req_failed................: 0.00%   ✓ 0        ✗ 414 
     http_req_receiving.............: avg=171.03µs min=64.89µs  med=145.8µs  max=972.91µs p(90)=266.05µs p(95)=336.56µs
     http_req_sending...............: avg=26.52µs  min=9.4µs    med=22.95µs  max=380.21µs p(90)=35.95µs  p(95)=45.36µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=161.89ms min=16ms     med=108.88ms max=1.04s    p(90)=363.26ms p(95)=440.93ms
     http_reqs......................: 414     1.717087/s
     iteration_duration.............: avg=878.34ms min=360.45ms med=896.24ms max=1.94s    p(90)=1.18s    p(95)=1.26s   
     iterations.....................: 77      0.319362/s
     vus............................: 3       min=0      max=6 
     vus_max........................: 60      min=60     max=60

Footnotes

  1. This comment will automatically update with new output each time k6 runs for this PR

@openverse-bot openverse-bot force-pushed the gha-renovatenpm-intlify-core-vulnerability branch 12 times, most recently from b7becc7 to a2dc8c0 Compare November 24, 2025 08:12
@openverse-bot openverse-bot force-pushed the gha-renovatenpm-intlify-core-vulnerability branch 5 times, most recently from 79996f1 to ded5ace Compare January 12, 2026 18:12
@openverse-bot openverse-bot force-pushed the gha-renovatenpm-intlify-core-vulnerability branch 8 times, most recently from 4cc14f1 to d08cec7 Compare January 23, 2026 14:11
@openverse-bot openverse-bot force-pushed the gha-renovatenpm-intlify-core-vulnerability branch 6 times, most recently from dcaab9e to 4c62581 Compare January 30, 2026 08:16
@openverse-bot openverse-bot force-pushed the gha-renovatenpm-intlify-core-vulnerability branch 9 times, most recently from db460d9 to 6801f4d Compare February 5, 2026 17:50
@openverse-bot openverse-bot force-pushed the gha-renovatenpm-intlify-core-vulnerability branch from 6801f4d to a867d63 Compare February 6, 2026 06:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@krysal krysal Awaiting requested review from krysal krysal is a code owner automatically assigned from WordPress/openverse-frontend

@dhruvkb dhruvkb Awaiting requested review from dhruvkb dhruvkb is a code owner automatically assigned from WordPress/openverse-frontend

Assignees

No one assigned

Labels

💻 aspect: code Concerns the software code in the repository dependencies Pull requests that update a dependency file 🧰 goal: internal improvement Improvement that benefits maintainers, not users 🟩 priority: low Low priority and doesn't need to be rushed 🧱 stack: frontend Related to the Nuxt frontend 🟨 tech: javascript Involves JavaScript

Projects

Openverse PRs
Status: 👀 Needs Review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@openverse-bot