i18ntk 4.5.2 → 4.5.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +182 -37
- package/README.md +27 -14
- package/main/i18ntk-analyze.js +77 -42
- package/main/i18ntk-complete.js +56 -37
- package/main/i18ntk-report.js +22 -9
- package/main/i18ntk-scanner.js +3 -0
- package/main/i18ntk-sizing.js +9 -6
- package/main/i18ntk-summary.js +61 -39
- package/main/i18ntk-usage.js +30 -17
- package/main/i18ntk-validate.js +38 -24
- package/main/manage/commands/AnalyzeCommand.js +79 -44
- package/main/manage/commands/ScannerCommand.js +13 -7
- package/main/manage/commands/ValidateCommand.js +37 -23
- package/main/manage/index.js +13 -9
- package/package.json +13 -6
- package/utils/config-helper.js +41 -31
- package/utils/exit-codes.js +8 -6
- package/utils/prompt-helper.js +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -5,13 +5,48 @@ All notable changes to this project will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [4.5.4] - 2026-06-19
|
|
9
|
+
|
|
10
|
+
### Fixed
|
|
11
|
+
|
|
12
|
+
- **Analyze:** Fixed `this.provideSetupGuidance is not a function` when no target locales are available. Analyze now prints setup guidance instead of crashing.
|
|
13
|
+
- **Manager Route:** Manager-routed commands now propagate subcommand failures and no longer print `Operation completed successfully!` after a runtime failure.
|
|
14
|
+
- **Complete:** Fixed `i18ntk-complete --help` by wiring the shared help renderer and keeping help output side-effect free.
|
|
15
|
+
- **Validate:** Removed mixed failure/success output. Validation only prints successful completion when the validation result succeeds.
|
|
16
|
+
- **Summary:** Guarded empty locale roots so `Average keys per language` prints `0` instead of `NaN`, and missing locale roots exit as invalid setup/argument failures.
|
|
17
|
+
- **Analyze Reports:** Report write failures now fail analyze with a non-zero exit code instead of continuing with success wording.
|
|
18
|
+
|
|
19
|
+
### Changed
|
|
20
|
+
|
|
21
|
+
- **CLI Flags:** Added canonical aliases: `--code-dir` / `--source-code-dir` for application source files, `--locales-dir` / `--i18n-dir` for locale files, and `--source-locale` for source language. Legacy `--source-dir`, `--i18n-dir`, and `--source-language` remain supported.
|
|
22
|
+
- **Exit Codes:** Standardized automation behavior: `0` for success, `1` for validation/report/runtime failures, and `2` for invalid arguments or missing setup in non-interactive mode.
|
|
23
|
+
- **CI Behavior:** Commands skip prompts when `--no-prompt` is passed, `CI=true`, stdin is not a TTY, or stdout is not a TTY.
|
|
24
|
+
- **Complete Summary:** Completion output now distinguishes locales scanned, target locales changed, unique source keys added, total key insertions, files modified, files skipped, and dry-run status.
|
|
25
|
+
|
|
26
|
+
### Documentation
|
|
27
|
+
|
|
28
|
+
- Updated README, API, configuration, scanner, and environment-variable docs with canonical CLI flags, legacy alias notes, and CI exit-code behavior.
|
|
29
|
+
|
|
30
|
+
### Tests
|
|
31
|
+
|
|
32
|
+
- Added CLI reliability regression coverage for the analyze crash, manager failure propagation, complete help output, directory/source-locale aliases, summary `NaN`, non-interactive prompt suppression, validation wording, and completion summary labels.
|
|
33
|
+
|
|
34
|
+
## [4.5.3] - 2026-06-19
|
|
35
|
+
|
|
36
|
+
### Fixed
|
|
37
|
+
|
|
38
|
+
- **Usage Scanner (Critical):** Fixed `supportedExtensions` default fallback in `config-helper.js` that excluded `.tsx` and `.jsx` files from source scanning. The default was `['.json', '.js', '.ts']` — missing `.jsx` and `.tsx`. In a Next.js project with 2704 keys across 1087 files, this caused the scanner to find only 57 keys (2.1%) instead of 2702 (99.9%) because all `.tsx` component files were silently ignored. The fix adds `.jsx` and `.tsx` to the default fallback: `['.json', '.js', '.jsx', '.ts', '.tsx']`.
|
|
39
|
+
- **Usage Dead Code:** Cleaned up unreachable initializer in `i18ntk-usage.js` that was supposed to set default `includeExtensions` but never ran because `supportedExtensions` was always set by `config-helper.js`. Added `.vue` and `.svelte` to the fallback for completeness.
|
|
40
|
+
|
|
8
41
|
## [4.5.2] - 2026-06-19
|
|
9
42
|
|
|
10
43
|
### Fixed
|
|
44
|
+
|
|
11
45
|
- **Complete (Namespace Wrapper):** Fixed critical bug where missing keys were inserted at the wrong nesting level in target locale files. When a file (e.g., `auth.json`) contains a namespace wrapper matching its filename (`{ "auth": { ... } }`), the `complete` command now detects this wrapper and inserts keys inside it (`auth.panel.sign_in`) instead of at root level (`panel.sign_in`). This prevents runtime lookup failures for `t("auth.panel.sign_in")`.
|
|
12
46
|
- **Translate (--output-dir):** Fixed bug where the `--output-dir` flag wrote translated files directly to `<output-dir>/<filename>` instead of `<output-dir>/<targetLang>/<filename>`. This caused all translations (regardless of target language) to land in the same directory, silently overwriting files from other languages in multi-language projects. When `args.outputDir` is provided, `processFile()` now appends `targetLang` to construct the correct output path.
|
|
13
47
|
|
|
14
48
|
### Tests
|
|
49
|
+
|
|
15
50
|
- Added `tests/regression-v452.test.js` with 18 regression tests covering:
|
|
16
51
|
- Complete command namespace wrapper detection (parseKeyPath, setNestedValue, hasNestedKey, wrapper detection logic)
|
|
17
52
|
- Validate getAllKeys leaf-only mode and completeness calculation
|
|
@@ -19,7 +54,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
19
54
|
- Scanner source directory fallback when sourceDir equals i18nDir
|
|
20
55
|
- Doctor auto-detection of languages from i18n directory
|
|
21
56
|
- Version consistency across package files
|
|
22
|
-
- Added `--output-dir` target language subdirectory tests to `tests/regression-v452.test.js`: verifies `processFile()` places output in `<outputDir>/<targetLang>/<file>` and that CLI `--output-dir` produces the correct nested path
|
|
57
|
+
- Added `--output-dir` target language subdirectory tests to `tests/regression-v452.test.js`: verifies `processFile()` places output in `<outputDir>/<targetLang>/<file>` and that CLI `--output-dir` produces the correct nested path
|
|
23
58
|
- Added 8 tests in `tests/usage-insights.test.js` for hardcoded text false-positive filtering:
|
|
24
59
|
- JS/TS built-in type name rejection (Promise, Boolean, String)
|
|
25
60
|
- Code expression operator rejection (&&, ||, ===, !==, =>)
|
|
@@ -29,6 +64,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
29
64
|
## [4.5.1] - 2026-06-19
|
|
30
65
|
|
|
31
66
|
### Fixed
|
|
67
|
+
|
|
32
68
|
- **Complete:** Fixed wrong nesting level when adding missing keys to target locale files that have a namespace wrapper matching the file name. Previously, `parseKeyPath("auth.panel.sign_in")` returned `{ file: "auth.json", key: "panel.sign_in" }`, and `setNestedValue` inserted `panel` at the root level instead of inside the existing `auth` wrapper. The fix detects namespace wrappers (e.g., `auth.json` containing `{ "auth": { ... } }`) and prepends the namespace to the insertion path so keys go inside the wrapper.
|
|
33
69
|
- **Validate:** `getAllKeys()` no longer reports parent namespace objects (e.g., `footer`) as missing keys alongside their leaf children (`footer.copyright`). Only leaf (string) keys are now compared during structural validation.
|
|
34
70
|
- **Validate:** Completion percentage now compares against source locale total keys, not target locale self-count. A locale with 14 of 42 source keys now correctly shows 33% instead of 100%.
|
|
@@ -39,12 +75,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
39
75
|
## [4.5.0] - 2026-06-19
|
|
40
76
|
|
|
41
77
|
### Security — Prototype Pollution Hardened
|
|
78
|
+
|
|
42
79
|
- **safe-json.js:** Added `stripPrototypePollution()` function that recursively filters `__proto__`, `constructor`, and `prototype` keys from parsed JSON locale files. Applied to all `readJsonSafe()` calls.
|
|
43
80
|
- **runtime/index.js:** `deepMerge()` now blocks `__proto__`, `constructor`, and `prototype` keys during locale data merging. `readJsonSafe()` now applies `stripPrototypeKeys()` to all parsed JSON, ensuring prototype pollution protection at runtime data ingestion point.
|
|
44
81
|
- **settings-manager.js:** `mergeWithDefaults()` now filters prototype pollution keys from user-supplied settings before spreading into defaults.
|
|
45
82
|
- **safe-json.js:** Exported `stripPrototypePollution` for use by other modules.
|
|
46
83
|
|
|
47
84
|
### Fixed
|
|
85
|
+
|
|
48
86
|
- **Backup:** Removed duplicate `const sourceDir` declaration that caused SyntaxError at module load (was unrecoverable crash for all backup operations).
|
|
49
87
|
- **Backup:** Added `try/catch` around `JSON.parse()` in restore path to handle corrupt backup files gracefully with a descriptive error message.
|
|
50
88
|
- **Complete:** Added missing `getUnifiedConfig` import from `utils/config-helper` (was ReferenceError at runtime).
|
|
@@ -56,6 +94,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
56
94
|
- **i18n-helper:** `stripBOMAndComments()` now safely handles null/undefined inputs.
|
|
57
95
|
|
|
58
96
|
### Changed
|
|
97
|
+
|
|
59
98
|
- **Version:** Bumped to 4.5.0 (minor version due to scope and severity of security fixes).
|
|
60
99
|
- **i18n-helper deepMerge:** Synchronized with runtime `deepMerge` — now uses `Object.keys` (safe) instead of `for...in`, handles null target/fallback, and filters `__proto__`/`constructor`/`prototype` keys for consistent prototype pollution protection across all code paths.
|
|
61
100
|
- **Testing:** Added `tests/edge-case-hardening.test.js` with 33 new tests covering prototype pollution protection, SecurityUtils edge cases, backup corrupt handling, report malformed JSON resilience, validation risk detection null-safety, config manager robustness, version consistency, and deepMerge edge cases.
|
|
@@ -64,6 +103,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
64
103
|
## [4.4.5] - 2026-06-08
|
|
65
104
|
|
|
66
105
|
### Fixed
|
|
106
|
+
|
|
67
107
|
- Removed orphaned duplicate code block from `main/i18ntk-scanner.js` that caused a SyntaxError when loading the scanner CLI.
|
|
68
108
|
- Fixed `utils/safe-json.js` where a duplicate `readJsonSafe` function overwrote the SecurityUtils-based implementation with an insecure version that referenced an undefined `fs` variable.
|
|
69
109
|
- Added periodic cache eviction to `missingKeyCache` in `utils/i18n-helper.js` to prevent unbounded memory growth in long-running processes.
|
|
@@ -78,43 +118,51 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
78
118
|
- **Security:** `validateConfig` now runs `isSafePath` validation on absolute paths instead of skipping them entirely (`return` in forEach was bypassing all checks for absolute config paths).
|
|
79
119
|
|
|
80
120
|
### Added
|
|
121
|
+
|
|
81
122
|
- **Framework detection:** Added support for ngx-translate (Angular), next-intl (Next.js), nuxt-i18n (Nuxt), svelte-i18n (Svelte), and solid-i18n (Solid) framework detection via dependency lookup.
|
|
82
123
|
- `detectFramework()` now also checks the `dependencies` property as a fallback for the `deps` array, ensuring backward compatibility.
|
|
83
124
|
- Created `tests/fixtures/test.json` fixture so file system security tests validate real file reads instead of passing vacuously.
|
|
84
125
|
|
|
85
126
|
### Changed
|
|
127
|
+
|
|
86
128
|
- Removed dead `{ gte }` import from `version-utils` and unused `FRAMEWORK_COMPATIBILITY` object from `framework-detector.js`.
|
|
87
129
|
- Security test `logSecurityEvent` now properly sets `I18NTK_DEBUG` and `I18NTK_ENABLE_SECURITY_LOGS` env vars and uses try/catch to verify non-throw behavior.
|
|
88
130
|
- `validateConfig` "reject invalid configuration" test now uses `assert.strictEqual` for stronger path traversal assertions.
|
|
89
131
|
|
|
90
|
-
## [4.4.4] - 2026-06-05
|
|
91
|
-
|
|
92
|
-
### Fixed
|
|
93
|
-
|
|
94
|
-
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
132
|
+
## [4.4.4] - 2026-06-05
|
|
133
|
+
|
|
134
|
+
### Fixed
|
|
135
|
+
|
|
136
|
+
- Likely-untranslated reporting now ignores placeholder-only and symbol/dynamic values such as `{file}`, `{path}`, and icon-prefixed labels instead of treating them as untranslated English.
|
|
137
|
+
- Dynamic values with translated surrounding copy and English placeholder tokens, such as `"command": "指示: {command}"`, are no longer flagged as untranslated.
|
|
138
|
+
|
|
139
|
+
### Changed
|
|
140
|
+
|
|
141
|
+
- `.i18ntk-config` now accepts a top-level `extensions` object for VS Code Workbench and Lens settings. The CLI preserves this section during config validation and ignores unknown extension-owned nested keys.
|
|
142
|
+
- Documented shared config edge cases so editor extensions can sync workspace defaults without changing CLI behavior.
|
|
143
|
+
|
|
144
|
+
## [4.4.3] - 2026-06-04
|
|
145
|
+
|
|
146
|
+
### Fixed
|
|
147
|
+
|
|
103
148
|
- `package.public.json` now includes the `./report` export entry (`./utils/report-model.js`) that was missing, fixing the sync check during public package builds.
|
|
104
149
|
|
|
105
|
-
## [4.4.2] - 2026-06-02
|
|
106
|
-
|
|
107
|
-
### Fixed
|
|
108
|
-
|
|
109
|
-
- Auto Translate now
|
|
110
|
-
- Auto Translate
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
150
|
+
## [4.4.2] - 2026-06-02
|
|
151
|
+
|
|
152
|
+
### Fixed
|
|
153
|
+
|
|
154
|
+
- Auto Translate `processFile()` now accepts source file paths relative to the current project, matching direct CLI behavior and avoiding safe-read failures in programmatic callers.
|
|
155
|
+
- Auto Translate now treats protected product terms as allowed English when deciding whether existing target values should be kept in `only-missing` mode.
|
|
156
|
+
- Auto Translate detects and retries more visibly broken target values, including replacement-character artifacts, mojibake, repeated question marks, and target-language prefix leftovers.
|
|
157
|
+
|
|
158
|
+
### Added
|
|
159
|
+
|
|
160
|
+
- Added regression coverage for relative source paths, protected product terms, broken target values, placeholder handling, and managed Auto Translate residual checks.
|
|
161
|
+
|
|
162
|
+
## [4.4.1] - 2026-06-02
|
|
163
|
+
|
|
164
|
+
### Security
|
|
165
|
+
|
|
118
166
|
- **HIGH**: Backup operations (`create`, `restore`, `list`, `verify`) now validate all path arguments via `SecurityUtils.validatePath()`. Previously, `i18ntk-backup` accepted arbitrary `--output` and source directory paths without any validation, enabling writes outside project boundaries.
|
|
119
167
|
- **HIGH**: Backup `handleCreate`, `handleRestore` now use `SecurityUtils.safeWriteFileSync`, `safeReadFileSync`, `safeMkdirSync` instead of raw `fs.promises`/`fs` calls.
|
|
120
168
|
- **HIGH**: `i18ntk-complete` now validates `--source-dir` CLI override through `SecurityUtils.validatePath()` and sanitizes `--source-language` through `SecurityUtils.sanitizeInput()` instead of accepting raw user input.
|
|
@@ -127,11 +175,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
127
175
|
- **LOW**: i18ntk Lens `scanner.ts` now rejects custom wrapper names > 100 characters to prevent ReDoS via malicious VSCode config values.
|
|
128
176
|
|
|
129
177
|
### Added
|
|
178
|
+
|
|
130
179
|
- `SecurityUtils.MAX_JSON_SIZE`, `SecurityUtils.MAX_JSON_DEPTH`, `SecurityUtils.MAX_FILENAME_LENGTH` constants for configurable safety limits.
|
|
131
180
|
|
|
132
181
|
## [4.4.0] - 2026-06-02
|
|
133
182
|
|
|
134
183
|
### Added
|
|
184
|
+
|
|
135
185
|
- Dead-key detection now uses resolved dynamic key data from usage insights instead of crude text-overlap heuristics. Keys expanded from template literals or const arrays are properly tracked and marked with low confidence.
|
|
136
186
|
- Locale JSON import detection: `import en from '../../locales/en/foo.json'` is detected and property accesses are tracked as key usages.
|
|
137
187
|
- Confidence-split unused key reports: confirmed (≥80%), likely (40-80%), possibly used (<40%).
|
|
@@ -150,10 +200,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
150
200
|
- i18ntk Workbench and i18ntk Lens can read Auto Translate residual reports, show the affected key in the VS Code editor, and offer a quick action to add intentionally unchanged keys to Auto Translate protection.
|
|
151
201
|
- Bounded dynamic expansion suggestions in usage report with explicit-map recommendation pattern.
|
|
152
202
|
- Telemetry/event literal classification: known-key strings inside `trackEvent()`, `emitDomainEvent()`, `analytics.track()`, etc. are classified as `literal-telemetry` and excluded from translation usage counts. Non-translation calls get context notes in the report.
|
|
153
|
-
- Object-method translation calls: `input.tx("key")`, `helper.tx("key")`, and `.tx(\`key.${var}\`)`
|
|
203
|
+
- Object-method translation calls: `input.tx("key")`, `helper.tx("key")`, and `.tx(\`key.${var}\`)`are now recognized as translation calls alongside standalone`tx()`.
|
|
154
204
|
- Local wrapper resolution: functions like `const text = (key, fallback) => tx(key)` that internally call known translation runtimes are detected and their string-literal invocations resolved to keys with `local-wrapper` match type.
|
|
155
205
|
|
|
156
206
|
### Fixed
|
|
207
|
+
|
|
157
208
|
- `--source-dir` and `--i18n-dir` no longer forced to the same value when both are explicitly passed via CLI.
|
|
158
209
|
- Path display (`displayPaths`) now reflects CLI overrides instead of only config file values.
|
|
159
210
|
- Dead-key detection `_matchesDynamicPattern` replaced with `_matchesDynamicPrefix` using actual resolved data.
|
|
@@ -162,12 +213,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
162
213
|
- Object-method `tx()` calls and local wrapper functions are now included in usage analysis, preventing Lens false positives on keys used through these patterns.
|
|
163
214
|
|
|
164
215
|
### Changed
|
|
216
|
+
|
|
165
217
|
- VSCode workbench bumped to 1.1.0, lens extension to 1.1.0.
|
|
166
218
|
- Major changes list in package.json and package.public.json updated for 4.4.0.
|
|
167
219
|
|
|
168
220
|
## [4.3.3] - 2026-06-01
|
|
169
221
|
|
|
170
222
|
### Fixed
|
|
223
|
+
|
|
171
224
|
- Usage extraction no longer reports ordinary method calls such as `get("next")`, `headers.get("etag")`, `set(...)`, or `setItem(...)` as missing translation keys.
|
|
172
225
|
- Usage insights now resolve `tx(...)` wrapper calls and bounded dynamic `tx` template keys, reducing false unused-key reports for local wrappers.
|
|
173
226
|
- Key naming validation now supports hybrid dot-path plus snake_case segment keys, such as `namespace.section.snake_case_leaf`, while still rejecting malformed separators and uppercase segments.
|
|
@@ -176,12 +229,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
176
229
|
## [4.3.2] - 2026-05-31
|
|
177
230
|
|
|
178
231
|
### Changed
|
|
232
|
+
|
|
179
233
|
- Documentation, README badges, and migration guidance now reference the current 4.3.2 release.
|
|
180
234
|
- Release metadata now marks 4.3.0 for npm deprecation because its npm tarball is unavailable.
|
|
181
235
|
|
|
182
236
|
## [4.3.1] - 2026-05-31
|
|
183
237
|
|
|
184
238
|
### Fixed
|
|
239
|
+
|
|
185
240
|
- Published tarball now includes `utils/english-placeholder-checker.js`, resolving `MODULE_NOT_FOUND` at startup for `i18ntk-fixer --check-placeholders` and manager option 7.
|
|
186
241
|
- Language-specific CLI entry points (`main/i18ntk-go.js`, `main/i18ntk-java.js`, `main/i18ntk-js.js`, `main/i18ntk-php.js`, `main/i18ntk-py.js`) and their shared `utils/mini-commander.js` dependency are now included in the published package.
|
|
187
242
|
- Removed inconsistent `.js` extension suffixes from require paths in `main/i18ntk-js.js`.
|
|
@@ -189,6 +244,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
189
244
|
## [4.3.0] - 2026-05-31
|
|
190
245
|
|
|
191
246
|
### Fixed
|
|
247
|
+
|
|
192
248
|
- Auto Translate now treats single-word uppercase target-language placeholders such as `[AR] Email` and `[AR] Password` as untranslated target values, matching the existing multi-word `[AR] What We Offer` detection.
|
|
193
249
|
- Auto Translate now treats bracketed target-language placeholders case-insensitively, so `[zh] Email` and `[TR] Password` are both retried for the matching target language.
|
|
194
250
|
- Managed Auto Translate now checks every selected source file for a target language before reporting leftover failures, instead of stopping after the first failed file.
|
|
@@ -199,11 +255,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
199
255
|
## [4.2.1] - 2026-05-31
|
|
200
256
|
|
|
201
257
|
### Changed
|
|
258
|
+
|
|
202
259
|
- Auto Translate now treats uppercase target-language placeholders such as `[AR] What We Offer` as untranslated target values when the bracketed code matches the target language, so target-aware mode sends the source text for translation instead of keeping the placeholder copy.
|
|
203
260
|
- Auto Translate now performs a final pre-write leftover check and retries values that still look like placeholder-prefixed untranslated text, untranslated markers, source-language copies, or broken output.
|
|
204
261
|
- Auto Translate reports leftover values in the post-translation report and exits with validation failure when leftovers remain after the final retry, instead of reporting a clean completion.
|
|
205
262
|
|
|
206
263
|
### Fixed
|
|
264
|
+
|
|
207
265
|
- Usage analysis no longer writes its inferred app source fallback, such as `src`, back into the shared locale configuration when `sourceDir` and `i18nDir` are both the locale directory.
|
|
208
266
|
- Manager sizing now reads the configured i18n directory unless `--source-dir` is explicitly provided, so running sizing after usage no longer silently analyzes the wrong directory.
|
|
209
267
|
- Manager sizing now treats a failed sizing analysis as a command failure instead of printing a generic operation success.
|
|
@@ -212,6 +270,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
212
270
|
## [4.2.0] - 2026-05-30
|
|
213
271
|
|
|
214
272
|
### Security
|
|
273
|
+
|
|
215
274
|
- Shared path validation no longer permits artifact-like filenames such as `.lock` or `.temp-config.json` to bypass base-directory containment.
|
|
216
275
|
- Shared path validation now rejects Windows cross-drive escape cases where `path.relative()` returns an absolute path.
|
|
217
276
|
- Custom `I18NTK_INTERNAL_PATH_PREFIXES` entries can no longer mark arbitrary outside directories as internal roots.
|
|
@@ -220,6 +279,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
220
279
|
- Auto Translate provider URL validation now blocks IPv4-mapped IPv6 loopback/private hosts.
|
|
221
280
|
|
|
222
281
|
### Changed
|
|
282
|
+
|
|
223
283
|
- Main runtime now includes production-safe features from the enhanced runtime surface: per-call language overrides, synchronous `translateBatch()`, and `clearCache()` / `getCacheInfo()` helpers.
|
|
224
284
|
- `i18ntk/runtime/enhanced` remains available as a legacy public subpath for compatibility, while new production integrations should prefer the lightweight `i18ntk/runtime` API.
|
|
225
285
|
- Usage analysis now indexes known translation keys back to source files, including direct i18n calls and literal key references that were previously missed.
|
|
@@ -242,6 +302,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
242
302
|
- Updated public, root, and development package metadata for the 4.2.0 release line.
|
|
243
303
|
|
|
244
304
|
### Fixed
|
|
305
|
+
|
|
245
306
|
- Runtime JSON loading now preserves valid translation strings containing comment-like text such as `/* token */` by parsing valid JSON before using the comment-stripping fallback.
|
|
246
307
|
- Enhanced runtime now exports the top-level `translateBatch()`, `translateBatchEncrypted()`, and `tTyped()` helpers declared by its TypeScript definitions, and those declarations now reflect async return values.
|
|
247
308
|
- Usage analysis no longer scans the project root when `sourceDir` and `i18nDir` both point at the locale directory; it now uses a detected app source directory or disables usage scanning with a clear warning.
|
|
@@ -258,6 +319,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
258
319
|
## [4.1.0] - 2026-05-21
|
|
259
320
|
|
|
260
321
|
### Fixed
|
|
322
|
+
|
|
261
323
|
- Runtime: stale manifest entries (deleted files after manifest construction) no longer cause unhandled exceptions; loadedFiles set before load with try/catch guard.
|
|
262
324
|
- Runtime: `refresh()` now correctly clears the key manifest for the refreshed language, preventing stale file references.
|
|
263
325
|
- Runtime: null `baseDir` guard prevents cascading `validatePath(null)` errors in `loadKeyManifestFromDir`.
|
|
@@ -275,7 +337,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
275
337
|
- Watch: debounce `setTimeout` timers are now stored per-watcher and cleared on `emitter.stop()`, preventing memory leaks and spurious I/O after stop.
|
|
276
338
|
- Watch: `'unlink'` events are now subscribed for backward-compatible plain-function callback users.
|
|
277
339
|
- Usage: duplicate `require.main === module` block removed (caused `TypeError: Identifier 'main' has already been declared` at execution).
|
|
278
|
-
- Usage: `_keyInSourceComments` optimized from O(n
|
|
340
|
+
- Usage: `_keyInSourceComments` optimized from O(n\*m) to O(n+m) by pre-computing a `Set` of all comment strings once before the dead key loop.
|
|
279
341
|
- Usage: `--cleanup=false` and `--dry-run-delete=false` now correctly parse as falsy via `toBool()` helper.
|
|
280
342
|
- Usage: broken `detectFrameworkPatterns()` call with `undefined` arguments removed.
|
|
281
343
|
- Usage: dead `return;` in `analyze()` removed so the result object is now actually returned.
|
|
@@ -295,6 +357,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
295
357
|
- Public package metadata updated.
|
|
296
358
|
|
|
297
359
|
### Security
|
|
360
|
+
|
|
298
361
|
- Watch module: debounce timers properly cleaned up on stop and callback subscriptions corrected for object-format and unlink handlers.
|
|
299
362
|
- Runtime: loadedFiles lock-before-load pattern prevents duplicate I/O and stale manifest crash.
|
|
300
363
|
- Backup: circular parent reference detection; `--incremental=false` string truthy bypass closed.
|
|
@@ -307,6 +370,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
307
370
|
## [4.0.0] - 2026-05-21
|
|
308
371
|
|
|
309
372
|
### Added
|
|
373
|
+
|
|
310
374
|
- **Sizing Expansion Prediction**: `i18ntk-sizing` now supports `--predict-expansion` flag that computes per-key character-count expansion ratios across languages and classifies them into Safe/Warning/Critical risk tiers for UI layout planning. Includes a built-in language-pair expansion reference table (EN→DE 35%, EN→RU 50%, EN→JA -40%, etc.).
|
|
311
375
|
- **Watch Hot Reload**: `utils/watch-locales.js` rewritten as an EventEmitter-compatible watcher with debouncing (300ms default) and SHA-256 hash tracking to skip no-change saves. Returns a callable watcher object with `change`, `add`, `unlink`, `error` events and `stop()`.
|
|
312
376
|
- **Usage Dead Key Detection**: `i18ntk-usage` adds `--cleanup` and `--dry-run-delete` flags that identify unused translation keys with confidence scores (0.0–1.0) factoring dynamic access patterns, comment references, and file recency. Produces a `.dead-keys.json` report for safe review before deletion.
|
|
@@ -317,28 +381,34 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
317
381
|
- **Protection Context-Aware Rules**: `utils/translate/protection.js` extends the protection config schema to support context rules (`after:word`, `before:word`, `standalone`, `surrounded:left,right`). Plain string terms remain fully backward compatible. Total context rules capped at 100.
|
|
318
382
|
|
|
319
383
|
### Fixed
|
|
384
|
+
|
|
320
385
|
- `i18ntk/runtime` `initRuntime()` now returns independent runtime instances with separate language, fallback language, base directory, and cache state. Later `initRuntime()` calls no longer overwrite earlier returned runtimes or the module-level compatibility singleton.
|
|
321
386
|
|
|
322
387
|
### Changed
|
|
388
|
+
|
|
323
389
|
- `watchLocales()` now returns a callable watcher object with EventEmitter methods instead of only a bare `stop` function. Existing `const stop = watchLocales(...); stop();` usage remains supported. The returned object fires `change`, `add`, `unlink`, `error` events. If a callback function is passed as the second argument, it is auto-subscribed to `change` and `add` for backward compatibility.
|
|
324
390
|
- **BREAKING**: `i18ntk-sizing` JSON reports now include `expansionPredictions` at the top level when `--predict-expansion` is used. This field is additive — existing report fields are preserved.
|
|
325
391
|
|
|
326
392
|
## [3.3.0] - 2026-05-20
|
|
327
393
|
|
|
328
394
|
### Changed
|
|
395
|
+
|
|
329
396
|
- Auto Translate now supports `--provider google|deepl|libretranslate`; DeepL uses `DEEPL_API_KEY`, while LibreTranslate supports `LIBRETRANSLATE_URL` and optional `LIBRETRANSLATE_API_KEY`.
|
|
330
397
|
- Auto Translate provider networking now keeps HTTPS, host allowlist, response-size, private-network, and redacted security logging protections in place for additional providers.
|
|
331
398
|
|
|
332
399
|
### Fixed
|
|
400
|
+
|
|
333
401
|
- `i18ntk-complete` now fills missing target-language keys from the English source value with a language prefix such as `[DE] Home` instead of writing `NOT_TRANSLATED`; this works for both `locales/en/*.json` and monolith `locales/en.json` layouts.
|
|
334
402
|
|
|
335
403
|
### Security
|
|
404
|
+
|
|
336
405
|
- Eliminated all 21 dynamic `require()` calls flagged by Socket.dev: 20 `require(path.join(__dirname, ...))` patterns in `i18ntk-js.js`, `i18ntk-py.js`, `i18ntk-java.js`, `i18ntk-php.js`, and `i18ntk-go.js` converted to static string literal requires.
|
|
337
406
|
- Added `SecurityUtils.validatePath()` gate around the remaining dynamic `require()` in `i18ntk-translate.js` `loadCustomTranslateFn`.
|
|
338
407
|
- Created `utils/translate/safe-network.js` — a secure HTTPS wrapper with URL host/path allowlist validation, response size limits (100KB), suspicious query parameter detection, and security event logging. All outbound network access now flows through this validated layer.
|
|
339
408
|
- Replaced direct `https.get` call in `utils/translate/api.js` with `safeHttpGet` from the safe-network wrapper.
|
|
340
409
|
|
|
341
410
|
### Docs
|
|
411
|
+
|
|
342
412
|
- README.md updated for v3.3.0 Auto Translate providers and secure provider operations.
|
|
343
413
|
- SECURITY.md updated with Socket.dev analysis disclaimer and guidance on expected alerts for a CLI/i18n toolkit.
|
|
344
414
|
- CHANGELOG.md and `package.json` versionInfo updated for v3.3.0.
|
|
@@ -347,18 +417,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
347
417
|
|
|
348
418
|
This package is a developer CLI and runtime helper that performs file I/O, network access (translation provider APIs on user request), and environment variable access. As such, Socket.dev will flag the following alerts that are **expected and by design**:
|
|
349
419
|
|
|
350
|
-
| Alert
|
|
351
|
-
|
|
352
|
-
| Network access
|
|
353
|
-
| Environment variable access | Centralized through `env-manager.js` with a strict allowlist. Blocks `SECRET`, `PASSWORD`, `KEY`, `TOKEN`, `AWS_*`, `NPM_*`, and 15+ other patterns.
|
|
354
|
-
| Filesystem access
|
|
355
|
-
| URL strings
|
|
420
|
+
| Alert | Why it's expected |
|
|
421
|
+
| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
|
422
|
+
| Network access | Only contacts configured translation providers via HTTPS when user invokes auto-translate. All outbound calls flow through `safe-network.js` with host/path allowlist validation, response size limits, private-network blocking, and redacted security event logging. No telemetry, no unexpected outbound calls. |
|
|
423
|
+
| Environment variable access | Centralized through `env-manager.js` with a strict allowlist. Blocks `SECRET`, `PASSWORD`, `KEY`, `TOKEN`, `AWS_*`, `NPM_*`, and 15+ other patterns. |
|
|
424
|
+
| Filesystem access | Reads/writes only project locale files and reports within validated paths. All FS operations gated by `SecurityUtils.validatePath`. |
|
|
425
|
+
| URL strings | Hardcoded default provider URLs for Google, DeepL, and LibreTranslate used only for auto-translation. No external resource loading. |
|
|
356
426
|
|
|
357
427
|
The v3.3.0 release resolves the actionable dynamic-require alert by eliminating all 21 instances.
|
|
358
428
|
|
|
359
429
|
## [3.2.0] - 2026-05-16
|
|
360
430
|
|
|
361
431
|
### Security
|
|
432
|
+
|
|
362
433
|
- **CRITICAL**: Fixed invalid `crypto.createCipherGCM`/`createDecipherGCM` API calls in `admin-pin.js` — replaced with `crypto.createCipheriv`/`createDecipheriv`.
|
|
363
434
|
- **CRITICAL**: Fixed missing `SecurityUtils` imports in `admin-pin.js`, `security-config.js`, and `scripts/security-check.js` causing `ReferenceError` at runtime.
|
|
364
435
|
- **CRITICAL**: Removed encryption key stored alongside ciphertext in `admin-pin.js`. The AES key was stored in the same JSON file as the encrypted PIN, providing zero cryptographic protection. Encryption key is now derived via HKDF from the scrypt hash.
|
|
@@ -371,6 +442,7 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
371
442
|
- Fixed `admin-pin.js` `getPinDisplay` to use stored `pinLength` instead of decrypting the raw PIN into memory.
|
|
372
443
|
|
|
373
444
|
### Fixed
|
|
445
|
+
|
|
374
446
|
- `admin-pin.js` lockout now uses timestamp-based expiry (`lockedUntil`) instead of `setTimeout`, ensuring lockout state survives process restarts.
|
|
375
447
|
- `translate/traverse.js` `setLeaf` now correctly creates `[]` for numeric array indices (was creating `{}`).
|
|
376
448
|
- `translate/traverse.js` extracted shared `parseKeyPath` function — `setLeaf` and `getLeaf` had duplicate path-parsing logic.
|
|
@@ -390,6 +462,7 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
390
462
|
- `admin-pin.js` scrypt→pbkdf2 fallback now emits a console warning instead of failing silently.
|
|
391
463
|
|
|
392
464
|
### Changed
|
|
465
|
+
|
|
393
466
|
- Updated all documentation to v3.2.0: README, CHANGELOG, docs/README, getting-started, runtime, auto-translate, environment-variables, scanner-guide, API_REFERENCE, COMPONENTS, and CONFIGURATION.
|
|
394
467
|
- Updated `package.json` version, `versionInfo`, `majorChanges`, and `nextVersion` for v3.2.0.
|
|
395
468
|
- Socket badge URL updated to v3.2.0.
|
|
@@ -397,31 +470,37 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
397
470
|
## [3.1.2] - 2026-05-07
|
|
398
471
|
|
|
399
472
|
### Fixed
|
|
473
|
+
|
|
400
474
|
- Auto Translate now resolves locale roots such as `./locales` to the selected source-language folder such as `./locales/en` when JSON files are stored under language folders.
|
|
401
475
|
- Public package staging now verifies root `package.json` and `package.public.json` release metadata are synchronized before pack or publish.
|
|
402
476
|
- Added a safe `publish:public:dry-run` path for validating the exact staged npm publish flow.
|
|
403
477
|
|
|
404
478
|
### Changed
|
|
479
|
+
|
|
405
480
|
- Updated release docs, npm README metadata, and package manifests for v3.1.2.
|
|
406
481
|
- Kept generated backups, temporary benchmark datasets, local setup state, and debug repair files out of future public repo commits through `.gitignore`.
|
|
407
482
|
|
|
408
483
|
## [3.1.1] - 2026-05-07
|
|
409
484
|
|
|
410
485
|
### Added
|
|
486
|
+
|
|
411
487
|
- **Auto Translate protection file workflow**: Added user-editable `i18ntk-auto-translate.json` support for protected terms, key paths, exact values, and regex patterns.
|
|
412
488
|
- **Public package README guard**: Public package staging now verifies `README.md` is included and non-empty before publish.
|
|
413
489
|
|
|
414
490
|
### Changed
|
|
491
|
+
|
|
415
492
|
- Updated README and release documentation for the current Auto Translate protection workflow and public package contents.
|
|
416
493
|
- Removed project-specific hardcoded validation examples so users configure their own brand and domain terms.
|
|
417
494
|
|
|
418
495
|
### Fixed
|
|
496
|
+
|
|
419
497
|
- Removed provider-shaped fake secret fixtures from tests to avoid GitHub push protection false positives.
|
|
420
498
|
- Ensured public package metadata includes `readmeFilename: "README.md"` so npm can render the package README.
|
|
421
499
|
|
|
422
500
|
## [3.1.0] - 2026-05-07
|
|
423
501
|
|
|
424
502
|
### Added
|
|
503
|
+
|
|
425
504
|
- **Placeholder-preserve translation mode**: Translates text segments around dynamic placeholders and reinserts the original tokens exactly.
|
|
426
505
|
- **Auto Translate beta settings**: Added settings for placeholder mode, concurrency, batch size, progress interval, retry count, retry delay, timeout, dry-run preview, report output, and BOM output.
|
|
427
506
|
- **Large-file tuning flags**: Added `--batch-size` and `--progress-interval` to `i18ntk-translate`.
|
|
@@ -430,6 +509,7 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
430
509
|
- **Sizing file-set analysis**: Added per-language file counts, per-file sizing statistics, and missing/extra file comparison across locale folders.
|
|
431
510
|
|
|
432
511
|
### Changed
|
|
512
|
+
|
|
433
513
|
- Automated and manager Auto Translate flows now default to placeholder `preserve` mode instead of skipping placeholder-bearing strings.
|
|
434
514
|
- `i18ntk-translate` can now be imported and run in-process by other package modules.
|
|
435
515
|
- Source JSON reads tolerate UTF-8 BOM-prefixed files.
|
|
@@ -438,17 +518,20 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
438
518
|
- Sizing reports now include folder-level file counts and per-file key/character breakdowns for each language.
|
|
439
519
|
|
|
440
520
|
### Fixed
|
|
521
|
+
|
|
441
522
|
- Fixed false-positive validation warnings for normal product copy terms.
|
|
442
523
|
- Fixed validator handling so ordinary explanatory uses of words like `token` or `secret` are not treated as leaked credentials.
|
|
443
524
|
- Fixed distorted `i18ntk-sizing` table output by rendering aligned columns from measured values instead of fixed localized spacing.
|
|
444
525
|
- Fixed sizing language comparison output so it uses analyzed languages and the configured source language baseline.
|
|
445
526
|
|
|
446
527
|
### Security
|
|
528
|
+
|
|
447
529
|
- Removed production `child_process` usage from `main/manage/commands/TranslateCommand.js` by replacing the spawned CLI process with an in-process translator call.
|
|
448
530
|
|
|
449
531
|
## [3.0.0] - 2026-05-05
|
|
450
532
|
|
|
451
533
|
### Added
|
|
534
|
+
|
|
452
535
|
- **`i18ntk-translate`**: Zero-dependency CLI tool that converts English source JSON locale files into any target language via Google's free Translate API.
|
|
453
536
|
- **Placeholder protection**: Intelligent detection, masking, and unmasking of dynamic placeholder tokens (`{name}`, `{{count}}`, `%d`, `%s`, `:param`, `{{variable}}`, `%{name}`, `${var}`, etc.) to prevent corruption during translation.
|
|
454
537
|
- **Custom regex support**: `--custom-regex` flag to define additional placeholder patterns for detection and protection.
|
|
@@ -463,11 +546,13 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
463
546
|
- **Deep JSON traversal**: Full support for nested objects and arrays, preserving data types, null values, and non-string leaf values.
|
|
464
547
|
|
|
465
548
|
### Changed
|
|
549
|
+
|
|
466
550
|
- Version bumped to 3.0.0 (major release with new translation tool feature).
|
|
467
551
|
|
|
468
552
|
## [2.6.0] - 2026-05-03
|
|
469
553
|
|
|
470
554
|
### Security
|
|
555
|
+
|
|
471
556
|
- **CRITICAL**: Fixed 8+ silent-write failures where `safeWriteFileSync` was called without basePath parameter across `utils/config.js`, `utils/config-helper.js`, `utils/secure-errors.js`, and `main/i18ntk-scanner.js`.
|
|
472
557
|
- Replaced all raw `fs` calls (`readdirSync`, `statSync`, `mkdirSync`, `unlinkSync`, `rmSync`) with `SecurityUtils` wrappers in `main/i18ntk-validate.js`, `main/i18ntk-scanner.js`, `main/manage/commands/FixerCommand.js`, and `utils/secure-errors.js`.
|
|
473
558
|
- Fixed path traversal checks in `security.js` and `config-manager.js` — replaced fragile `path.sep`-based comparison with robust `startsWith('..')` prefix check.
|
|
@@ -475,6 +560,7 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
475
560
|
- Fixed `SecurityUtils.safeParseJSON` reference leak — deep-clones objects instead of returning caller's reference.
|
|
476
561
|
|
|
477
562
|
### Fixed
|
|
563
|
+
|
|
478
564
|
- Fixed `main/i18ntk-analyze.js` `this.adminAuth` reference error (local variable was not assigned to instance property).
|
|
479
565
|
- Fixed `main/i18ntk-validate.js` `ExitCodes.CONFIG_ERROR` referenced before declaration.
|
|
480
566
|
- Fixed `main/i18ntk-scanner.js` `fs.readdirSync(projectRoot, { recursive: true })` removed (unsupported in older Node.js).
|
|
@@ -491,37 +577,45 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
491
577
|
- Fixed `utils/admin-auth.js` `uncaughtException` handler wrong parameter format.
|
|
492
578
|
|
|
493
579
|
### Added
|
|
580
|
+
|
|
494
581
|
- `SecurityUtils.safeUnlinkSync(filePath, basePath)` — safely delete a file.
|
|
495
582
|
- `SecurityUtils.safeRmdirSync(dirPath, basePath)` — safely remove a directory.
|
|
496
583
|
|
|
497
584
|
### Changed
|
|
585
|
+
|
|
498
586
|
- `configManager.resolvePaths`, `configManager.toRelative`, and config lock path now dynamically resolve via `getUserProjectRoot()`/`getProjectConfigPath()`.
|
|
499
587
|
- `configManager.CONFIG_PATH` is now a getter that dynamically returns the project config path.
|
|
500
588
|
- `configManager.migrateLegacyIfNeeded` exported for testability.
|
|
501
589
|
|
|
502
590
|
### TypeScript
|
|
591
|
+
|
|
503
592
|
- Fixed `runtime/i18ntk.d.ts` `BasicI18nRuntime.translate` and `t` return types from `Promise<string>` to `string`.
|
|
504
593
|
|
|
505
594
|
### Scripts
|
|
595
|
+
|
|
506
596
|
- Fixed `scripts/build-public-package.js` and `scripts/reset-release-state.js` `npm_execpath` fallback for missing env var.
|
|
507
597
|
- Fixed `scripts/lint-locales.js` BOM handling and try-catch for `fs.readdirSync`.
|
|
508
598
|
|
|
509
599
|
## [2.5.1] - 2026-04-29
|
|
510
600
|
|
|
511
601
|
### Security
|
|
602
|
+
|
|
512
603
|
- Fixed `AdminAuth.verifyPin()` to fail closed when admin config is missing, disabled, or malformed instead of returning success.
|
|
513
604
|
- Fixed auth-required checks to fail closed when settings require admin PIN protection but the admin config is unusable.
|
|
514
605
|
- Normalized admin session expiry handling by storing both `expires` and `expiresAt` and cleaning up both formats consistently.
|
|
515
606
|
|
|
516
607
|
### Added
|
|
608
|
+
|
|
517
609
|
- Added regression tests for admin PIN fail-closed behavior and session expiry cleanup.
|
|
518
610
|
|
|
519
611
|
### Changed
|
|
612
|
+
|
|
520
613
|
- Documented the public npm package staging flow introduced after `2.5.0`.
|
|
521
614
|
|
|
522
615
|
## [2.5.0] - 2026-04-29
|
|
523
616
|
|
|
524
617
|
### Security
|
|
618
|
+
|
|
525
619
|
- Centralized environment-variable access behind the `utils/env-manager.js` allowlist.
|
|
526
620
|
- Hardened `SecurityUtils.safeJoin()` and path validation against sibling-prefix containment bypasses.
|
|
527
621
|
- Switched admin PIN hash verification to timing-safe comparison.
|
|
@@ -529,17 +623,20 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
529
623
|
- Expanded the release security scanner to inspect nested production source files.
|
|
530
624
|
|
|
531
625
|
### Fixed
|
|
626
|
+
|
|
532
627
|
- Fixed the manager fixer command so applied fixes are written to the same parsed object that is saved.
|
|
533
628
|
- Fixed fixer writes for absolute source directories outside the current working directory.
|
|
534
629
|
- Fixed debug-menu file reads to use `SecurityUtils` wrappers.
|
|
535
630
|
- Fixed `secure-errors` to import its `SecurityUtils` dependency explicitly.
|
|
536
631
|
|
|
537
632
|
### Changed
|
|
633
|
+
|
|
538
634
|
- Updated package and documentation metadata to `2.5.0`.
|
|
539
635
|
|
|
540
636
|
## [2.4.0] - 2026-04-16
|
|
541
637
|
|
|
542
638
|
### Changed
|
|
639
|
+
|
|
543
640
|
- Disabled npm registry update-check behavior in CLI startup paths.
|
|
544
641
|
- Disabled manager-route backup execution (`i18ntk --command=backup`); standalone `i18ntk-backup` remains available.
|
|
545
642
|
- Disabled setup prerequisite command probing via `PATH` inspection.
|
|
@@ -548,6 +645,7 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
548
645
|
## [2.3.8] - 2026-04-13
|
|
549
646
|
|
|
550
647
|
### Added
|
|
648
|
+
|
|
551
649
|
- Added centralized structured logger with standardized prefixes and configurable levels (`error`, `warn`, `info`, `debug`).
|
|
552
650
|
- Added opt-in JSON log output for CI/build pipelines via `JSON_LOG=true`.
|
|
553
651
|
- Added missing-translation-key cache TTL (5 minutes) to prevent repeated key-miss spam.
|
|
@@ -555,11 +653,13 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
555
653
|
- Added test coverage for logger timing/progress/worker aggregation behavior.
|
|
556
654
|
|
|
557
655
|
### Fixed
|
|
656
|
+
|
|
558
657
|
- Fixed repeated default-configuration fallback output by emitting a single fallback notice per process.
|
|
559
658
|
- Fixed recursive security/i18n logging interactions that could trigger repeated warning cascades.
|
|
560
659
|
- Fixed false-positive security warnings for internal package/project absolute paths through internal root whitelisting.
|
|
561
660
|
|
|
562
661
|
### Changed
|
|
662
|
+
|
|
563
663
|
- Logging is now silent by default for non-critical output in production-like builds unless `DEBUG_MODE=true`.
|
|
564
664
|
- Security warning reasons now use specific detection details instead of generic "dangerous patterns".
|
|
565
665
|
- Updated package/docs/version metadata to `2.3.8`.
|
|
@@ -567,10 +667,12 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
567
667
|
## [2.3.7] - 2026-04-12
|
|
568
668
|
|
|
569
669
|
### Fixed
|
|
670
|
+
|
|
570
671
|
- Removed false-positive path traversal warnings for safe absolute project paths during framework builds.
|
|
571
672
|
- Reduced repeated default-configuration console noise in multi-worker build environments.
|
|
572
673
|
|
|
573
674
|
### Changed
|
|
675
|
+
|
|
574
676
|
- Security event console logging is now fully opt-in via `I18NTK_ENABLE_SECURITY_LOGS=true` (or debug envs).
|
|
575
677
|
- Config-manager diagnostic console logging is now fully opt-in via `I18NTK_ENABLE_LOGS=true` (or debug envs).
|
|
576
678
|
- Updated docs to reflect new default-silent logging behavior and troubleshooting toggles.
|
|
@@ -578,16 +680,19 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
578
680
|
## [2.3.6] - 2026-04-12
|
|
579
681
|
|
|
580
682
|
### Security
|
|
683
|
+
|
|
581
684
|
- **Fixed path traversal vulnerability** in temporary file creation
|
|
582
685
|
- **Added `safeJoin` function** for secure path construction
|
|
583
686
|
- **Improved path validation** throughout the codebase
|
|
584
687
|
|
|
585
688
|
### Fixed
|
|
689
|
+
|
|
586
690
|
- Hardened settings reset and backup cleanup paths to reduce risk of broad/deep unintended file deletion.
|
|
587
691
|
- Hardened backup command path handling to keep source/output/restore operations inside project boundaries by default.
|
|
588
692
|
- Fixed backup-class async file operations to consistently use `fs.promises` APIs.
|
|
589
693
|
|
|
590
694
|
### Changed
|
|
695
|
+
|
|
591
696
|
- **Silent security logging by default**: Info-level messages suppressed, warnings/errors shown
|
|
592
697
|
- **Debug mode**: Enable verbose logging with `I18N_DEBUG=true`
|
|
593
698
|
- **Centralized security logging**: All security events use `SecurityUtils.logSecurityEvent()`
|
|
@@ -597,76 +702,92 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
597
702
|
## [2.3.4] - 2026-04-12
|
|
598
703
|
|
|
599
704
|
### Fixed
|
|
705
|
+
|
|
600
706
|
- Fixed runtime autosave behavior so configuration write failures no longer hard-throw through request/render paths.
|
|
601
707
|
- Fixed config save race resilience by combining queued writes, cross-process lock files, and unique temp filenames per write.
|
|
602
708
|
|
|
603
709
|
### Added
|
|
710
|
+
|
|
604
711
|
- Added `I18NTK_DISABLE_AUTOSAVE` support to skip disk persistence and keep in-memory config in server/runtime environments.
|
|
605
712
|
- Added config-manager concurrency regression test covering parallel `saveConfig` calls.
|
|
606
713
|
|
|
607
714
|
### Changed
|
|
715
|
+
|
|
608
716
|
- Updated package/docs/version metadata to `2.3.4`.
|
|
609
717
|
- Updated support policy guidance to recommend upgrading from versions below `2.3.4`.
|
|
610
718
|
|
|
611
719
|
## [2.3.3] - 2026-04-12
|
|
612
720
|
|
|
613
721
|
### Fixed
|
|
722
|
+
|
|
614
723
|
- Fixed production config persistence race across multiple Node processes by adding cross-process file locking for `.i18ntk-config` writes.
|
|
615
724
|
- Fixed intermittent `ENOENT` during atomic config rename operations under concurrent production traffic.
|
|
616
725
|
|
|
617
726
|
### Changed
|
|
727
|
+
|
|
618
728
|
- Updated package/docs/version metadata to `2.3.3`.
|
|
619
729
|
- Updated support policy guidance to recommend upgrading from versions below `2.3.3`.
|
|
620
730
|
|
|
621
731
|
## [2.3.2] - 2026-04-12
|
|
622
732
|
|
|
623
733
|
### Added
|
|
734
|
+
|
|
624
735
|
- Added startup npm-registry version checks that warn when the installed CLI is behind the latest published `i18ntk` release.
|
|
625
736
|
- Added support for checking all published semver versions up to the current latest tag to improve outdated-version detection reliability.
|
|
626
737
|
|
|
627
738
|
### Fixed
|
|
739
|
+
|
|
628
740
|
- Fixed fatal analyze-command startup failure in manager command flow caused by missing `validateSourceDir` import.
|
|
629
741
|
|
|
630
742
|
### Changed
|
|
743
|
+
|
|
631
744
|
- Updated package/docs/version metadata to `2.3.2`.
|
|
632
745
|
- Updated support policy guidance to recommend upgrading from versions below `2.3.2`.
|
|
633
746
|
|
|
634
747
|
## [2.3.1] - 2026-04-12
|
|
635
748
|
|
|
636
749
|
### Fixed
|
|
750
|
+
|
|
637
751
|
- Fixed package export-path fallback in `utils/i18n-helper` that could trigger build warnings in production bundlers (`i18ntk/resources/i18n/ui-locales/en.json` not exported).
|
|
638
752
|
|
|
639
753
|
### Changed
|
|
754
|
+
|
|
640
755
|
- Updated package/docs/version metadata to `2.3.1`.
|
|
641
756
|
- Updated support policy guidance to recommend upgrading from versions below `2.3.1`.
|
|
642
757
|
|
|
643
758
|
## [2.3.0] - 2026-04-12
|
|
644
759
|
|
|
645
760
|
### Added
|
|
761
|
+
|
|
646
762
|
- Added validation summary report output after validation runs.
|
|
647
763
|
- Added init-time backup configuration prompt (default disabled, optional enable).
|
|
648
764
|
|
|
649
765
|
### Fixed
|
|
766
|
+
|
|
650
767
|
- Fixed backup recursion/pollution risk by moving automated fixer backups to a dedicated backup root.
|
|
651
768
|
- Fixed backup retention behavior to keep 1 by default with enforced bounds up to 3.
|
|
652
769
|
- Fixed language discovery in validate/fixer flows to ignore backup/report directories.
|
|
653
770
|
|
|
654
771
|
### Changed
|
|
772
|
+
|
|
655
773
|
- Updated package/docs/version metadata to `2.3.0`.
|
|
656
774
|
- Updated support policy guidance to recommend upgrading from versions below `2.3.0`.
|
|
657
775
|
|
|
658
776
|
## [2.2.0] - 2026-04-12
|
|
659
777
|
|
|
660
778
|
### Added
|
|
779
|
+
|
|
661
780
|
- Added an explicit upgrade/support notice in docs recommending upgrade from pre-`2.2.0` versions.
|
|
662
781
|
- Added migration guide for `v2.2.0`.
|
|
663
782
|
|
|
664
783
|
### Fixed
|
|
784
|
+
|
|
665
785
|
- Fixed critical sizing workflow regressions.
|
|
666
786
|
- Fixed critical usage-analysis workflow regressions.
|
|
667
787
|
- Fixed runtime locale optimizer dependency path after publish-surface cleanup.
|
|
668
788
|
|
|
669
789
|
### Changed
|
|
790
|
+
|
|
670
791
|
- Reduced publish surface by excluding internal development scripts from npm package artifacts.
|
|
671
792
|
- Excluded legacy fixed artifacts from package output (`main/manage/index-fixed.js`, `utils/security-fixed.js`).
|
|
672
793
|
- Updated package/docs/version metadata to `2.2.0`.
|
|
@@ -674,15 +795,18 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
674
795
|
## [2.1.1] - 2026-04-11
|
|
675
796
|
|
|
676
797
|
### Added
|
|
798
|
+
|
|
677
799
|
- Version bump to 2.1.1 for release.
|
|
678
800
|
- Added `SecurityUtils.debugLog` function for consistent debugging.
|
|
679
801
|
|
|
680
802
|
### Fixed
|
|
803
|
+
|
|
681
804
|
- Fixed `SecurityUtils.logSecurityEvent` calls missing `level` parameter in `i18ntk-usage` and `UsageService`.
|
|
682
805
|
- Fixed `level.toLowerCase is not a function` error in usage analysis.
|
|
683
806
|
- Fixed `SecurityUtils.debugLog is not a function` error in sizing analysis.
|
|
684
807
|
|
|
685
808
|
### Changed
|
|
809
|
+
|
|
686
810
|
- Updated package and release metadata to `2.1.1`.
|
|
687
811
|
- Removed legacy `resources/i18n/ui-locales` path references (use `ui-locales/` instead).
|
|
688
812
|
- Updated all UI locale loading to use `ui-locales/` directory.
|
|
@@ -690,10 +814,12 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
690
814
|
## [2.1.0] - 2026-04-11
|
|
691
815
|
|
|
692
816
|
### Added
|
|
817
|
+
|
|
693
818
|
- Added a v2.1.0 migration guide and updated release runbook references.
|
|
694
819
|
- Added stricter language-directory filtering in analysis paths to ignore backup/report folders.
|
|
695
820
|
|
|
696
821
|
### Fixed
|
|
822
|
+
|
|
697
823
|
- Fixed interactive menu command flow so it reliably returns to the main menu after command completion.
|
|
698
824
|
- Fixed analysis progress output to report the correct processed-language count.
|
|
699
825
|
- Fixed duplicate report-save output lines during analysis.
|
|
@@ -702,70 +828,84 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
702
828
|
- Fixed locale-loading path fallback behavior to avoid noisy startup errors in global installs.
|
|
703
829
|
|
|
704
830
|
### Changed
|
|
831
|
+
|
|
705
832
|
- Synchronized and normalized UI locale keys across `resources/i18n/ui-locales` and `ui-locales`.
|
|
706
833
|
- Updated package/release metadata to `2.1.0`.
|
|
707
834
|
|
|
708
835
|
## [2.0.0] - 2026-01-01
|
|
709
836
|
|
|
710
837
|
### Added
|
|
838
|
+
|
|
711
839
|
- Added missing runtime translation keys across `init`, `fixer`, `sizing`, `summary`, `usage`, and settings import/export flows.
|
|
712
840
|
- Added `SecurityUtils.safeParseJSON`, `SecurityUtils.safeReadFile`, and `SecurityUtils.safeWriteFile` compatibility APIs used by v2 command paths.
|
|
713
841
|
- Added source-locale bootstrap behavior during `init` when the source language directory exists but has no translation files.
|
|
714
842
|
|
|
715
843
|
### Fixed
|
|
844
|
+
|
|
716
845
|
- Fixed initialization state detection to use project `.i18ntk-config` setup metadata as the v2 source of truth.
|
|
717
846
|
- Fixed false setup-invalid states caused by BOM-encoded config files during setup checks.
|
|
718
847
|
- Fixed config persistence risk by using atomic writes in `config-manager` save flow.
|
|
719
848
|
- Fixed self-dependency metadata so the package remains zero-dependency in v2.
|
|
720
849
|
|
|
721
850
|
### Changed
|
|
851
|
+
|
|
722
852
|
- Updated package release metadata for the v2 line (`versionInfo`, deprecations, nextVersion).
|
|
723
853
|
|
|
724
854
|
## [1.10.2] - 2025-08-23
|
|
725
855
|
|
|
726
856
|
### 🚨 Critical Fix
|
|
857
|
+
|
|
727
858
|
- **Fixed projectRoot default path**: Resetting settings now correctly restores `projectRoot` to `/` instead of `./`, ensuring fresh installs work out-of-the-box
|
|
728
859
|
|
|
729
860
|
### 🆕 New Features
|
|
861
|
+
|
|
730
862
|
- **Centralized Environment Variable Management**: Added comprehensive environment variable support with validation and security controls
|
|
731
863
|
- **Enhanced Debug Logging**: Improved debug logging with environment variable support for better troubleshooting
|
|
732
864
|
- **Secure Plugin Loading**: Added path sanitization for module loading to prevent security issues
|
|
733
865
|
|
|
734
866
|
### 🔒 Security Enhancements
|
|
867
|
+
|
|
735
868
|
- **Enhanced Path Validation**: Strengthened path validation and file operations security
|
|
736
869
|
- **Secure Module Loading**: Added path sanitization for all plugin/module loading operations
|
|
737
870
|
- **Environment Variable Security**: Implemented centralized environment variable management with security filtering
|
|
738
871
|
|
|
739
872
|
### 🛠️ Improvements
|
|
873
|
+
|
|
740
874
|
- **Refactored Configuration Handling**: Updated config system with integrated environment variable support
|
|
741
875
|
- **Enhanced Logging System**: Improved debug logging capabilities with environment variable integration
|
|
742
876
|
- **Better Error Handling**: Enhanced error messages and debugging information
|
|
743
877
|
|
|
744
878
|
### 📚 Documentation
|
|
879
|
+
|
|
745
880
|
- **Environment Variables Guide**: Added comprehensive documentation for all supported environment variables
|
|
746
881
|
- **Migration Notes**: Added clear migration guidance for projectRoot path changes
|
|
747
882
|
|
|
748
883
|
### 🔧 Technical Changes
|
|
884
|
+
|
|
749
885
|
- **Package Version**: Updated to v1.10.2 across all files
|
|
750
886
|
- **Security Patches**: Applied security improvements to path handling and file operations
|
|
751
887
|
|
|
752
888
|
## [1.10.1] - 2025-08-22
|
|
753
889
|
|
|
754
890
|
### Added
|
|
891
|
+
|
|
755
892
|
- **New Terminal-Icons Utility**: Added `terminal-icons` utility for better emoji support in terminal output
|
|
756
893
|
- **Enhanced UI Text Processing**: Improved text processing with terminal-safe fallbacks for special characters
|
|
757
894
|
|
|
758
895
|
### Fixed
|
|
896
|
+
|
|
759
897
|
- Fixed infinite setup loop issue (Hotfix)
|
|
760
898
|
- Resolved version string update inconsistencies
|
|
761
899
|
|
|
762
900
|
### Changed
|
|
901
|
+
|
|
763
902
|
- Update version strings across all files from 1.9.1 to 1.10.1
|
|
764
903
|
- Remove outdated package-lock.json and backup config
|
|
765
904
|
|
|
766
905
|
## [1.10.0] - 2025-08-22
|
|
767
906
|
|
|
768
907
|
### Added
|
|
908
|
+
|
|
769
909
|
- **Enhanced Runtime API**: Improved framework-agnostic translation runtime with better TypeScript support
|
|
770
910
|
- **Framework Detection**: Enhanced support for Next.js, Nuxt.js, and SvelteKit projects
|
|
771
911
|
- **Reset Script**: Added `reset-for-publish.js` for clean package publishing
|
|
@@ -774,6 +914,7 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
774
914
|
- **Caching System**: Added configuration caching to prevent redundant initialization
|
|
775
915
|
|
|
776
916
|
### Fixed
|
|
917
|
+
|
|
777
918
|
- **DNR Functionality**: Fixed persistence of "Do Not Remind" settings across version updates
|
|
778
919
|
- **Settings Management**: Improved error handling and logging for settings operations
|
|
779
920
|
- **TypeScript Definitions**: Enhanced type safety and autocomplete for better developer experience
|
|
@@ -783,17 +924,17 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
783
924
|
- **Path Resolution**: Fixed source directory path handling for CLI arguments
|
|
784
925
|
|
|
785
926
|
### Security
|
|
927
|
+
|
|
786
928
|
- **Settings Persistence**: Secure handling of user preferences and framework settings
|
|
787
929
|
- **Error Handling**: Improved error reporting for configuration issues
|
|
788
930
|
- **Dependencies**: Maintained zero runtime dependencies for maximum security
|
|
789
931
|
- **Shell Access**: Confirmed no child_process usage in setup-enforcer.js
|
|
790
932
|
- **Input Validation**: Enhanced path validation for source and output directories
|
|
791
933
|
|
|
792
|
-
|
|
793
|
-
|
|
794
934
|
## [1.9.1] - 2025-08-14
|
|
795
935
|
|
|
796
936
|
### Added
|
|
937
|
+
|
|
797
938
|
- **Python Support**: Full support for Python frameworks including Django, Flask, FastAPI, and generic Python projects
|
|
798
939
|
- **Enhanced Framework Detection**: Improved accuracy for all supported frameworks with new Python detection algorithms
|
|
799
940
|
- **Common Locale File**: Added `locales/common.json` for shared translation keys across frameworks
|
|
@@ -801,6 +942,7 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
801
942
|
- **Exit/Cancel Option**: Added option to exit/cancel (press 0) during directory selection in fixer command
|
|
802
943
|
|
|
803
944
|
### Changed
|
|
945
|
+
|
|
804
946
|
- **Security Overhaul**: Replaced all `child_process` imports with native Node.js APIs
|
|
805
947
|
- **Performance**: Maintained 97% performance improvement while adding security enhancements
|
|
806
948
|
- **Framework Detection**: Updated detection patterns for JavaScript, Python, Go, Java, and PHP
|
|
@@ -808,18 +950,21 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
|
|
|
808
950
|
- **Documentation**: Comprehensive updates to reflect new features and security improvements
|
|
809
951
|
|
|
810
952
|
### Removed
|
|
953
|
+
|
|
811
954
|
- **Outdated Test Files**: Cleaned up test directories and removed deprecated test scripts
|
|
812
955
|
- **Debug Tools**: Removed unused benchmark and package test files
|
|
813
956
|
- **Shell Dependencies**: Eliminated all shell command dependencies
|
|
814
957
|
- **Legacy Files**: Removed outdated configuration and development files
|
|
815
958
|
|
|
816
959
|
### Security
|
|
960
|
+
|
|
817
961
|
- **Zero Vulnerabilities**: Successfully passed security audit with 0 vulnerabilities
|
|
818
962
|
- **Memory Safety**: Enhanced memory-safe operations throughout the codebase
|
|
819
963
|
- **Input Validation**: Improved validation for all user inputs and file operations
|
|
820
964
|
- **Dependency Cleanup**: Removed all shell-related dependencies
|
|
821
965
|
|
|
822
966
|
### Performance
|
|
967
|
+
|
|
823
968
|
- **Zero Overhead**: Security enhancements added zero performance overhead
|
|
824
969
|
- **Python Detection**: Minimal overhead from new Python framework detection
|
|
825
970
|
- **Memory Usage**: Maintained <2MB memory usage for all operations
|