fix(deps): update dependency next-intl to v4 [security]#342

Open

renovate[bot] wants to merge 1 commit intomainfrom

renovate/npm-next-intl-vulnerability

Contributor

renovate bot commented Apr 11, 2026

This PR contains the following updates:

Package	Change	Age	Confidence
next-intl (source)	`^3.14.1` → `^4.0.0`

GitHub Vulnerability Alerts

GHSA-8f24-v5vv-gm5j

Impact

Applications using the next-intl middleware with localePrefix: 'as-needed' could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative // or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL.

Patches

The problem has been patched, please update to next-intl@4.9.1.

Credits

Many thanks to Joni Liljeblad from Oura for responsibly disclosing the vulnerability and for suggesting the fix.

Release Notes

amannn/next-intl (next-intl)

`v4.9.1`

Bug Fixes

Improve middleware pathname validation (#2304) (1c80b66) – by @amannn

`v4.9.0`

Features

Support transitionTypes on Link (#2302) (02811f5) – by @amannn

`v4.8.4`

Bug Fixes

Remove TypeScript peer dependency and update examples to TypeScript v6 (#2293) (5e7bcd7) – by @wojtekmaj

`v4.8.3`

Bug Fixes

Update @formatjs/intl-localematcher (#2265) (196f1f3) – by @amannn

`v4.8.2`

Bug Fixes

Avoid throwing config errors for non-Next.js consumers of next.config.ts (#2245) (f57800e) – by @amannn

`v4.8.1`

Bug Fixes

Fix precompile alias on Windows (#2237) (8e7151a) – by @amannn

`v4.8.0`

Features

Ahead-of-time compilation for messages (#2220) (02149c1) – by @amannn

`v4.7.0`

Features

Improvements for useExtracted (#2200) (ebc5e43) – by @amannn

`v4.6.1`

Bug Fixes

Improvements for useExtracted (#2176) (3937e44) – by @amannn

`v4.6.0`

Features

Custom formats for useExtracted, consistency fixes for file references, pruning of messages and sorting of keys (#2155) (c02818e) – by @amannn

`v4.5.8`

Bug Fixes

Improvements for useExtracted (#2152) (9b7c9fe) – by @amannn

`v4.5.7`

Bug Fixes

Skip accept-language parsing when locale cookie is already present (#2143) (0d1331b), closes #2116 – by @lxup

`v4.5.6`

Bug Fixes

Improvements for useExtracted (#2133) (5397c49) – by @amannn

`v4.5.5`

Bug Fixes

Move SWC cache to node_modules (#2120) (0ba9105) – by @amannn

`v4.5.4`

Bug Fixes

Move AST transformer of useExtracted to SWC plugin & handle source maps (#2114) (e63fbc5) – by @amannn

`v4.5.3`

Bug Fixes

Fix inconsistent ordering of messages for useExtracted pt. 2 (#2103) (5cbd5da) – by @amannn

`v4.5.2`

Bug Fixes

Bug fixes for useExtracted (#2099) (b1ff1fa) – by @amannn

`v4.5.1`

Bug Fixes

Avoid partial matches in overlapping localized pathnames (#2090) (c276c80), closes #2089 #2089 – by @amannn

`v4.5.0`

Features

Add useExtracted (experimental) (#2080) (7a85644) – by @amannn

`v4.4.0`

Features

Next.js 16 update (#2054) (c397e92) – by @amannn

`v4.3.12`

Bug Fixes

Use correct return type for getTimeZone (#2053) (bdc2af4), closes #2052 – by @amannn

`v4.3.11`

Bug Fixes

Only call NextResponse.rewrite if really necessary (#2051) (43ed4aa) – by @amannn

`v4.3.10`

Bug Fixes

Bump @types/react version (#2050) (c1e997e), closes #2044 #2044 – by @amannn

`v4.3.9`

Bug Fixes

Prefix pathnames when switching with useRouter to another locale (#2021) (c82d0af), closes #2020 – by @amannn

`v4.3.8`

Bug Fixes

Avoid double-encoding of already encoded params (#2017) (31265b4), closes #2014 – by @amannn

`v4.3.7`

Bug Fixes

Avoid usePathname inconsistency in Next.js leading to a hydration error with custom prefixes, localePrefix: 'always' and static rendering (#2012) (bc9cb62), closes #2011 vercel/next.js#73085 #1571 – by @hugotiger

`v4.3.6`

Bug Fixes

Ensure messages declaration continues working in next dev for upcoming next@15.5.1 (#2008) (2bf09ec) – by @amannn

`v4.3.5`

Bug Fixes

Don't create messages declaration file when running next {start,info,telemetry} (#1992) (fd0722a) – by @amannn

`v4.3.4`

Bug Fixes

Correctly compile messages containing escaped curly braces (e.g. '{name'}) (#1950) (4d418f4), closes #1948 – by @amannn

`v4.3.3`

Bug Fixes

Add friendly error message when failing to load current Next.js version (#1945) (5021773) – by @cupofjoakim

`v4.3.2`

Bug Fixes

Ensure cookie is synced before navigation with useRouter (#1947) (3ee9c4d) – by @amannn

`v4.3.1`

Bug Fixes

Use correct return type for getTimeZone (#2053) (bdc2af4), closes #2052 – by @amannn

`v4.3.0`

Features

Support BigInt for number interpolation with useTranslations (#1929) (a893330), closes #1928 – by @sgleisner

`v4.2.0`

Features

Encode non-ASCII characters in pathnames returned from navigation APIs (#1923) (3d23c61) – by @amannn

`v4.1.0`

Features

Add forcePrefix option for redirect and getPathname (#1865) (5905976) – by @amannn

`v4.0.3`

Features

Experimental support for --turbo (requires next@^14.0.3) (#641) (46c6ec7), closes #250

3.0.3 (2023-11-15)

Bug Fixes

Don't retrieve defaults for locale, now and timeZone if these options have been provided to NextIntlClientProvider (#633) (824363a), closes #631

3.0.2 (2023-11-15)

Bug Fixes

Allow usage of getTranslations({namespace}) without TypeScript integration for messages (#630) (62cf29c), closes #625

3.0.1 (2023-11-14)

Add provenance statement to published packages.

`v4.0.2`

Bug Fixes

Allow to use IntlErrorCode in user code (#1788) (913d307), closes #1787 – by @amannn

`v4.0.1`

Bug Fixes

Handle default exports correctly for moduleResolution: 'node' (#1785) (b7a4a83), closes /github.com/amannn/next-intl/discussions/1631#discussioncomment-12477848 – by @amannn

`v4.0.0`

See the announcement.

(#1412) (172656f) – by @amannn

`v3.26.5`

Bug Fixes

Handle query in <Link /> correctly when using localePrefix: 'as-needed' with domains (#1732) (ec8776e), closes #1731 – by @amannn

`v3.26.4`

Bug Fixes

Add workaround for OpenTelemetry/Zone.js (#1719) (1cac9a6), closes #1711 – by @amannn

`v3.26.3`

Bug Fixes

Add missing deprecation warnings for next-intl@4.0 (#1485) (1d60d08) – by @amannn

`v3.26.2`

Bug Fixes

Support t.has when getTranslations is called with an object argument (#1616) (64895a2), closes /github.com/amannn/next-intl/discussions/437#discussioncomment-11593318 – by @amannn

`v3.26.1`

Bug Fixes

Use new domain next-intl.dev in links (#1601) (40a9a77) – by @amannn

`v3.26.0`

Features

Support React 19 (#1597) (e0ffe29) – by @amannn

`v3.25.3`

Bug Fixes

Follow-up for #1573 to also handle the case when a non-default locale is in use (#1578) (fd71741), closes #1568 – by @amannn

`v3.25.2`

Bug Fixes

Handle inconsistency in Next.js when using usePathname with custom prefixes, localePrefix: 'as-needed' and static rendering (#1573) (20fd0f0) – by @amannn

`v3.25.1`

Bug Fixes

Correctly handle search params in redirects when using trailingSlash: true (#1537) (03a4620) – by @deini

`v3.25.0`

Features

Add type exports to enable declaration: true in tsconfig.json (#1509) (6b2ca9c) – by @osaton

`v3.24.0`

Features

Add support for React 19 RC (#1490) (2dea022) – by @amannn

`v3.23.5`

Bug Fixes

Don't warn when setting prefetch={true} on <Link /> (#1463) (fd6d73d), closes #1462 – by @amannn

`v3.23.4`

Bug Fixes

Upgrade to negotiator@^1.0 (#1460) (b93f297) – by @amannn

`v3.23.3`

Bug Fixes

Resolve locale for navigation APIs consistently from i18n/request.ts in react-server like all other APIs do (#1459) (8c6d5ff) – by @amannn

`v3.23.2`

Bug Fixes

Handle inlined search params and hashes correctly in <Link /> from createNavigation (#1448) (ba0a537) – by @amannn

`v3.23.1`

Bug Fixes

Remove usage of deprecated ReactNodeArray which is removed in React 19 (#1445) (2396345) – by @amannn

`v3.23.0`

Features

Add Next.js 15 to peer dependencies (#1443) (4cb22bb) – by @amannn

`v3.22.0`

Features

feat: createNavigation (#1316)
feat: Add async requestLocale param to getRequestConfig for Next.js 15 support (#1383)
feat: Add localeCookie option for middleware (#1414)
feat: Add setRequestLocale (#1437)

Fixes

fix: When using domains, handle unknown domains more gracefully (#1389)

Deprecations

Deprecate defaultTranslationValues (#1411)
Deprecate unstable_setRequestLocale (#1437)

`v3.21.1`

Bug Fixes

Repair package publishing workflow (this release doesn't include any library changes) (ceba9ae) – by @amannn

`v3.20.0`

Features

Type-safe global formats (#1346) (b7aa14e) – by @dBianchii

`v3.19.5`

Bug Fixes

Make all keys of Formats type optional for easier usage (#1367) (a7cbd9b) – by @amannn

`v3.19.4`

Bug Fixes

Handle malformed pathnames in middleware (#1353) (dcda9d9), closes #1351 – by @amannn

`v3.19.3`

Bug Fixes

Handle overlapping locale prefixes correctly pt. 2 (#1344) (7958659) – by @amannn

`v3.19.2`

Bug Fixes

Handle overlapping custom locale prefixes correctly (#1343) (72c1731), closes #1329 – by @amannn

`v3.19.1`

Bug Fixes

Add error handling in case an invalid i18n request config file has been specified (#1327) (18b9fd6) – by @amannn

`v3.19.0`

Features

Support ./i18n/request.ts in addition to ./i18n.ts (#1308) (258e95e) – by @amannn

`v3.18.1`

Bug Fixes

Print warning for inconsistent i18n setup where no locale is read in getRequestConfig and also none is returned (#1305) (2f0f781) – by @amannn

`v3.18.0`

Features

Add defineRouting for easier i18n routing setup (#1299) (5ff6120) – by @amannn

`v3.17.6`

Bug Fixes

Enable React Compiler ESLint plugin and fix relevant case (#1281) (606f4cc) – by @amannn

`v3.17.5`

Bug Fixes

Lazy init message formatter for improved tree shaking in case useTranslations is only used in Server Components (#1279) (9f1725c) – by @amannn

`v3.17.4`

Bug Fixes

Update @formatjs/intl-localematcher to latest version (#1140) (c217582) – by @amannn

`v3.17.3`

Bug Fixes

Handle optional catch-all segments in navigation APIs if no value is provided and handle the case if a dynamic value appears multiple times in a pathname (#1259) (58ef482), closes #1236 – by @amannn

`v3.17.2`

Bug Fixes

Fix open redirect vulnerability for localePrefix: 'as-necessary' by sanitizing pathname in the middleware (#1208) (f42ac01), closes #1207 – by @hblee12294

`v3.17.1`

Bug Fixes

Apply useMemo for useRouter returned from createLocalizedPathnamesNavigation to keep a stable reference when possible (#1201) (a1b9a36), closes #1198 – by @amannn

`v3.17.0`

Features

Cache Intl.* constructors (#1193) (52c4f2c), closes #215 – by @amannn

`v3.16.0`

Features

Support trailingSlash: true in Next.js config (#1190) (cfbdee9) – by @amannn

`v3.15.5`

Bug Fixes

Support relative pathnames in redirect (#1178) (3b698d7), closes #1177 – by @amannn

`v3.15.4`

Bug Fixes

Export DomainsConfig (#1175) (c4d1bb0) – by @amannn

`v3.15.3`

Bug Fixes

Prefer more specific routes in usePathname when detecting the currently active pathname for localized pathnames (#1152) (936839e), closes #1151 – by @amannn

`v3.15.2`

Note: Version bump only for package root

`v3.15.1`

Bug Fixes

Remove @formatjs/ecma402-abstract dependency in favor of the automatically bundled one from intl-messageformat (#1141) – by @amannn

`v3.15.0`

Features

Add support for custom prefixes for i18n routing (#1086) (4ba921a)

3.14.1 (2024-05-23)

Bug Fixes

Handle external URLs passed to redirect and permanentRedirect (#1084 by @mhogeveen) (16b55e2)

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          fix(deps): update dependency next-intl to v4 [security]

1195d83

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet