Update dependency @intlify/core-base to v11.1.10 [SECURITY]

[openverse-bot]

This PR contains the following updates:

Package	Type	Update	Change
@intlify/core-base (source)	devDependencies	minor	11.0.1 -> 11.1.10

GitHub Vulnerability Alerts

CVE-2025-53892

Summary

The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html.

This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html.

Details

When escapeParameterHtml: true is enabled, it correctly escapes common injection points.

However, it does not sanitize entire attribute contexts, which can be used as XSS vectors via:

<img src=x onerror=alert(1)>

PoC

In your Vue I18n configuration:

const i18n = createI18n({
  escapeParameterHtml: true,
  messages: {
    en: {
      vulnerable: 'Caution: <img src=x onerror="{payload}">'
    }
  }
});

Use this interpolated payload:

const payload = '<script>alert("xss")</script>';
Render the translation using v-html (even not using v-html):

<p v-html="$t('vulnerable', { payload })"></p>
Expected: escaped content should render as text, not execute.

Actual: script executes in some environments (or the payload is partially parsed as HTML).

Impact

This creates a DOM-based Cross-Site Scripting (XSS) vulnerability despite enabling a security option (escapeParameterHtml) .

---

Release Notes

intlify/vue-i18n (@​intlify/core-base)

v11.1.10

Compare Source

🔒 Security Fixes

• fix: DOM-based XSS via tag attributes for escape parameter, about details see GHSA-x8qp-wqqm-57ph

Full Changelog: intlify/vue-i18n@v11.1.9...v11.1.10

v11.1.9

Compare Source

Full Changelog: intlify/vue-i18n@v11.1.8...v11.1.9

v11.1.8

Compare Source

What's Changed

⚡ Improvement Features

• fix: typo by @​kazupon in https://github.com/intlify/vue-i18n/pull/2221

Full Changelog: intlify/vue-i18n@v11.1.7...v11.1.8

v11.1.7

Compare Source

What's Changed

🐛 Bug Fixes

• fix: declaration order in Number formatting with options ResourceKeys by @​kazupon in https://github.com/intlify/vue-i18n/pull/2208

Full Changelog: intlify/vue-i18n@v11.1.6...v11.1.7

v11.1.6

Compare Source

What's Changed

⚡ Improvement Features

• fix: error on duplicate useI18n calling on local scope by @​kazupon in https://github.com/intlify/vue-i18n/pull/2203

Full Changelog: intlify/vue-i18n@v11.1.5...v11.1.6

v11.1.5

Compare Source

What's Changed

🐛 Bug Fixes

• fix: n() & d() output depending "part" option by @​kazupon in https://github.com/intlify/vue-i18n/pull/2194

Full Changelog: intlify/vue-i18n@v11.1.4...v11.1.5

v11.1.4

Compare Source

What's Changed

🌟 Features

• feat: Part options support $n by @​mauryapari in https://github.com/intlify/vue-i18n/pull/2175
• feat: Part options support $d by @​mauryapari in https://github.com/intlify/vue-i18n/pull/2180

⚡ Improvement Features

• fix: support vue core internal slot key changing by @​kazupon in https://github.com/intlify/vue-i18n/pull/2190

Full Changelog: intlify/vue-i18n@v11.1.3...v11.1.4

v11.1.3

Compare Source

What's Changed

🐛 Bug Fixes

• fix: cannot resolve the ast messages which has json path for v11 by @​kazupon in https://github.com/intlify/vue-i18n/pull/2159

⚡ Improvement Features

• fix: duplicate generated type config naming by @​BobbieGoede in https://github.com/intlify/vue-i18n/pull/2158

Full Changelog: intlify/vue-i18n@v11.1.2...v11.1.3

v11.1.2

Compare Source

What's Changed

🔒 Security Fixes

• fix: prototype pollution in handleFlatJson, about details see GHSA-p2ph-7g93-hw3m

Full Changelog: intlify/vue-i18n@v11.1.1...v11.1.2

v11.1.1

Compare Source

Full Changelog: intlify/vue-i18n@v11.1.0...v11.1.1

v11.1.0

Compare Source

What's Changed

🌟 Features

• feat: configurable ComponentCustomProperties['$i18n'] type by @​BobbieGoede in https://github.com/intlify/vue-i18n/pull/2094

📝️ Documentations

• fix: vue-i18n v8 EOL by @​kazupon in https://github.com/intlify/vue-i18n/pull/2060

Full Changelog: intlify/vue-i18n@v11.0.1...v11.1.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled because a matching PR was automerged previously.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[github-actions]

Latest k6 run output¹

     ✓ status was 200

     checks.........................: 100.00% ✓ 404      ✗ 0   
     data_received..................: 95 MB   394 kB/s
     data_sent......................: 53 kB   220 B/s
     http_req_blocked...............: avg=40.21µs  min=2.14µs   med=4.71µs   max=2.81ms   p(90)=142.46µs p(95)=164.22µs
     http_req_connecting............: avg=27.51µs  min=0s       med=0s       max=2.7ms    p(90)=97.71µs  p(95)=113.84µs
     http_req_duration..............: avg=148.83ms min=18.18ms  med=98.09ms  max=929.33ms p(90)=348.47ms p(95)=426.39ms
       { expected_response:true }...: avg=148.83ms min=18.18ms  med=98.09ms  max=929.33ms p(90)=348.47ms p(95)=426.39ms
   ✓ http_req_failed................: 0.00%   ✓ 0        ✗ 404 
     http_req_receiving.............: avg=176.44µs min=48.38µs  med=142.13µs max=3.96ms   p(90)=285.82µs p(95)=360.67µs
     http_req_sending...............: avg=23.46µs  min=7.08µs   med=21.59µs  max=102.46µs p(90)=37.19µs  p(95)=41.9µs  
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=148.63ms min=18.08ms  med=97.32ms  max=929.09ms p(90)=348.15ms p(95)=425.94ms
     http_reqs......................: 404     1.678768/s
     iteration_duration.............: avg=808.66ms min=248.05ms med=904.18ms max=1.63s    p(90)=1.09s    p(95)=1.16s   
     iterations.....................: 75      0.311652/s
     vus............................: 1       min=0      max=6 
     vus_max........................: 60      min=60     max=60

Footnotes

1. This comment will automatically update with new output each time k6 runs for this PR ↩

[github-actions]

Playwright failure test results: https://github.com/WordPress/openverse/actions/runs/19766902359

It looks like some of the Playwright tests failed. If you made changes to the frontend UI without updating snapshots, this might be the cause. You can download zipped patches containing the updated snapshots alongside a general trace of the tests under the "Artifacts" section in the above page. They're named in the form *_snapshot_diff and *_test_results respectively.

You can read more on how to use these artifacts in the docs.

If the test is flaky, follow the flaky test triage procedure.