Update dependency next-intl to v4 [SECURITY] - autoclosed#453

Closed

renovate[bot] wants to merge 1 commit into

mainfrom

renovate/npm-next-intl-vulnerability

renovate Bot commented Apr 11, 2026

Contributor

This PR contains the following updates:

Package	Change	Age	Confidence
next-intl (source)	`^3.2.1` → `^4.0.0`

GitHub Vulnerability Alerts

GHSA-8f24-v5vv-gm5j

Impact

Applications using the next-intl middleware with localePrefix: 'as-needed' could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative // or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL.

Patches

The problem has been patched, please update to next-intl@4.9.1.

Credits

Many thanks to Joni Liljeblad from Oura for responsibly disclosing the vulnerability and for suggesting the fix.

Release Notes

amannn/next-intl (next-intl)

`v4.9.1`

Bug Fixes

Improve middleware pathname validation (#2304) (1c80b66) – by @amannn

`v4.9.0`

Features

Support transitionTypes on Link (#2302) (02811f5) – by @amannn

`v4.8.4`

Bug Fixes

Remove TypeScript peer dependency and update examples to TypeScript v6 (#2293) (5e7bcd7) – by @wojtekmaj

`v4.8.3`

Bug Fixes

Update @formatjs/intl-localematcher (#2265) (196f1f3) – by @amannn

`v4.8.2`

Bug Fixes

Avoid throwing config errors for non-Next.js consumers of next.config.ts (#2245) (f57800e) – by @amannn

`v4.8.1`

Bug Fixes

Fix precompile alias on Windows (#2237) (8e7151a) – by @amannn

`v4.8.0`

Features

Ahead-of-time compilation for messages (#2220) (02149c1) – by @amannn

`v4.7.0`

Features

Improvements for useExtracted (#2200) (ebc5e43) – by @amannn

`v4.6.1`

Bug Fixes

Improvements for useExtracted (#2176) (3937e44) – by @amannn

`v4.6.0`

Features

Custom formats for useExtracted, consistency fixes for file references, pruning of messages and sorting of keys (#2155) (c02818e) – by @amannn

`v4.5.8`

Bug Fixes

Improvements for useExtracted (#2152) (9b7c9fe) – by @amannn

`v4.5.7`

Bug Fixes

Skip accept-language parsing when locale cookie is already present (#2143) (0d1331b), closes #2116 – by @lxup

`v4.5.6`

Bug Fixes

Improvements for useExtracted (#2133) (5397c49) – by @amannn

`v4.5.5`

Bug Fixes

Move SWC cache to node_modules (#2120) (0ba9105) – by @amannn

`v4.5.4`

Bug Fixes

Move AST transformer of useExtracted to SWC plugin & handle source maps (#2114) (e63fbc5) – by @amannn

`v4.5.3`

Bug Fixes

Fix inconsistent ordering of messages for useExtracted pt. 2 (#2103) (5cbd5da) – by @amannn

`v4.5.2`

Bug Fixes

Bug fixes for useExtracted (#2099) (b1ff1fa) – by @amannn

`v4.5.1`

Bug Fixes

Avoid partial matches in overlapping localized pathnames (#2090) (c276c80), closes #2089 #2089 – by @amannn

`v4.5.0`

Features

Add useExtracted (experimental) (#2080) (7a85644) – by @amannn

`v4.4.0`

Features

Next.js 16 update (#2054) (c397e92) – by @amannn

`v4.3.12`

Bug Fixes

Use correct return type for getTimeZone (#2053) (bdc2af4), closes #2052 – by @amannn

`v4.3.11`

Bug Fixes

Only call NextResponse.rewrite if really necessary (#2051) (43ed4aa) – by @amannn

`v4.3.10`

Bug Fixes

Bump @types/react version (#2050) (c1e997e), closes #2044 #2044 – by @amannn

`v4.3.9`

Bug Fixes

Prefix pathnames when switching with useRouter to another locale (#2021) (c82d0af), closes #2020 – by @amannn

`v4.3.8`

Bug Fixes

Avoid double-encoding of already encoded params (#2017) (31265b4), closes #2014 – by @amannn

`v4.3.7`

Bug Fixes

Avoid usePathname inconsistency in Next.js leading to a hydration error with custom prefixes, localePrefix: 'always' and static rendering (#2012) (bc9cb62), closes #2011 vercel/next.js#73085 #1571 – by @hugotiger

`v4.3.6`

Bug Fixes

Ensure messages declaration continues working in next dev for upcoming next@15.5.1 (#2008) (2bf09ec) – by @amannn

`v4.3.5`

Bug Fixes

Don't create messages declaration file when running next {start,info,telemetry} (#1992) (fd0722a) – by @amannn

`v4.3.4`

Bug Fixes

Correctly compile messages containing escaped curly braces (e.g. '{name'}) (#1950) (4d418f4), closes #1948 – by @amannn

`v4.3.3`

Bug Fixes

Add friendly error message when failing to load current Next.js version (#1945) (5021773) – by @cupofjoakim

`v4.3.2`

Bug Fixes

Ensure cookie is synced before navigation with useRouter (#1947) (3ee9c4d) – by @amannn

`v4.3.1`

Bug Fixes

Use correct return type for getTimeZone (#2053) (bdc2af4), closes #2052 – by @amannn

`v4.3.0`

Features

Support BigInt for number interpolation with useTranslations (#1929) (a893330), closes #1928 – by @sgleisner

`v4.2.0`

Features

Encode non-ASCII characters in pathnames returned from navigation APIs (#1923) (3d23c61) – by @amannn

`v4.1.0`

Features

Add forcePrefix option for redirect and getPathname (#1865) (5905976) – by @amannn

`v4.0.3`

Features

Experimental support for --turbo (requires next@^14.0.3) (#641) (46c6ec7), closes #250

3.0.3 (2023-11-15)

Bug Fixes

Don't retrieve defaults for locale, now and timeZone if these options have been provided to NextIntlClientProvider (#633) (824363a), closes #631

3.0.2 (2023-11-15)

Bug Fixes

Allow usage of getTranslations({namespace}) without TypeScript integration for messages (#630) (62cf29c), closes #625

3.0.1 (2023-11-14)

Add provenance statement to published packages.

`v4.0.2`

Bug Fixes

Allow to use IntlErrorCode in user code (#1788) (913d307), closes #1787 – by @amannn

`v4.0.1`

Bug Fixes

Handle default exports correctly for moduleResolution: 'node' (#1785) (b7a4a83), closes /github.com/amannn/next-intl/discussions/1631#discussioncomment-12477848 – by @amannn

`v4.0.0`

See the announcement.

(#1412) (172656f) – by @amannn

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          Update dependency next-intl to v4 [SECURITY]

b479daa

renovate Bot added the dependencies label

renovate Bot changed the title ~~Update dependency next-intl to v4 [SECURITY]~~ Update dependency next-intl to v4 [SECURITY] - autoclosed

renovate Bot closed this

renovate Bot deleted the renovate/npm-next-intl-vulnerability branch

April 14, 2026 00:49

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels