Sourced from i18next-http-middleware's changelog.

v3.9.6

• Fix cookie header being overwritten instead of appended #126

v3.9.5

• fix: allow forward slashes in ns values so nested namespace names (mapping to subfolder locale layouts such as public/locales/en/a/b.json on fs-backend, /locales/en/a/b.json on http-backend) are no longer dropped by getResourcesHandler. 3.9.3's security fix applied the same strict identifier check to both lng and ns via utils.isSafeIdentifier, which was correct for lng (no BCP-47 shape contains /) but over-strict for ns — nested namespaces containing / were never officially supported, but the behaviour fell out of the implicit string-substitution semantics of the backend loadPath and is common enough in the wild to be worth accommodating. isSafeIdentifier is now split into isSafeLangIdentifier (strict — still rejects /) and isSafeNsIdentifier (loose — allows / but still rejects .., \, control chars, prototype keys, and oversized inputs). isSafeIdentifier is kept as a backwards-compatible alias for the strict check. The 3.9.3 security fix remains in force for every concrete attack pattern from the original advisory.

v3.9.4

• Add Set-Cookie header to response in Fresh plugin so language preference persists across reloads/new tabs #125

v3.9.3

Security release — all issues found via an internal audit. See published GHSA advisories GHSA-5fgg-jcpf-8jjw and GHSA-c3h8-g69v-pjrg.

• security: guard utils.setPath against prototype pollution via crafted lng/ns in getResourcesHandler (GHSA-5fgg-jcpf-8jjw)
• security: sanitise Content-Language response header to prevent CRLF injection / unhandled ERR_INVALID_CHAR crash via unsanitised language codes (GHSA-c3h8-g69v-pjrg)
• security: skip inherited/prototype-polluting keys (__proto__, constructor, prototype) in missingKeyHandler request body (GHSA-5fgg-jcpf-8jjw)
• security: filter unsafe lng/ns values in getResourcesHandler (reject path-traversal, path separators, control characters, prototype keys, over-long inputs) to prevent path traversal / SSRF via the backend connector and unbounded growth of the shared i18next.options.ns array. Any legitimate language code shape is still accepted — i18next permits arbitrary codes (FAQ) (GHSA-5fgg-jcpf-8jjw)
• security: hasXSS regex now catches event handlers in any attribute position (previously only matched when the handler was the first attribute; e.g. <input autofocus onfocus=…> bypassed the filter)
• security: automatically set the Secure flag on the language cookie when cookieSameSite: 'none' — browsers reject SameSite=None without Secure
• chore: ignore .env* and *.pem/*.key files in .gitignore

• 8d2354a 3.9.6
• c5c20a1 release
• 4c28da5 Fix cookie header being overwritten instead of appended (#126)
• 6edc535 docs: clarify that nested-ns with slashes was never officially supported
• 98afc71 3.9.5
• 1d275bb fix: allow forward slashes in ns values
• 2a68a6d 3.9.4
• 7481bda bump
• 5e586d7 Add Set-Cookie header to response in Fresh plugin (#125)
• e966aa1 Bump i18next-locize-backend from 4.0.7 to 9.0.2 in /example/basic-locize (#124)
• Additional commits viewable in compare view