i18ntk 4.5.2 → 4.5.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -5,13 +5,48 @@ All notable changes to this project will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [4.5.4] - 2026-06-19
9
+
10
+ ### Fixed
11
+
12
+ - **Analyze:** Fixed `this.provideSetupGuidance is not a function` when no target locales are available. Analyze now prints setup guidance instead of crashing.
13
+ - **Manager Route:** Manager-routed commands now propagate subcommand failures and no longer print `Operation completed successfully!` after a runtime failure.
14
+ - **Complete:** Fixed `i18ntk-complete --help` by wiring the shared help renderer and keeping help output side-effect free.
15
+ - **Validate:** Removed mixed failure/success output. Validation only prints successful completion when the validation result succeeds.
16
+ - **Summary:** Guarded empty locale roots so `Average keys per language` prints `0` instead of `NaN`, and missing locale roots exit as invalid setup/argument failures.
17
+ - **Analyze Reports:** Report write failures now fail analyze with a non-zero exit code instead of continuing with success wording.
18
+
19
+ ### Changed
20
+
21
+ - **CLI Flags:** Added canonical aliases: `--code-dir` / `--source-code-dir` for application source files, `--locales-dir` / `--i18n-dir` for locale files, and `--source-locale` for source language. Legacy `--source-dir`, `--i18n-dir`, and `--source-language` remain supported.
22
+ - **Exit Codes:** Standardized automation behavior: `0` for success, `1` for validation/report/runtime failures, and `2` for invalid arguments or missing setup in non-interactive mode.
23
+ - **CI Behavior:** Commands skip prompts when `--no-prompt` is passed, `CI=true`, stdin is not a TTY, or stdout is not a TTY.
24
+ - **Complete Summary:** Completion output now distinguishes locales scanned, target locales changed, unique source keys added, total key insertions, files modified, files skipped, and dry-run status.
25
+
26
+ ### Documentation
27
+
28
+ - Updated README, API, configuration, scanner, and environment-variable docs with canonical CLI flags, legacy alias notes, and CI exit-code behavior.
29
+
30
+ ### Tests
31
+
32
+ - Added CLI reliability regression coverage for the analyze crash, manager failure propagation, complete help output, directory/source-locale aliases, summary `NaN`, non-interactive prompt suppression, validation wording, and completion summary labels.
33
+
34
+ ## [4.5.3] - 2026-06-19
35
+
36
+ ### Fixed
37
+
38
+ - **Usage Scanner (Critical):** Fixed `supportedExtensions` default fallback in `config-helper.js` that excluded `.tsx` and `.jsx` files from source scanning. The default was `['.json', '.js', '.ts']` — missing `.jsx` and `.tsx`. In a Next.js project with 2704 keys across 1087 files, this caused the scanner to find only 57 keys (2.1%) instead of 2702 (99.9%) because all `.tsx` component files were silently ignored. The fix adds `.jsx` and `.tsx` to the default fallback: `['.json', '.js', '.jsx', '.ts', '.tsx']`.
39
+ - **Usage Dead Code:** Cleaned up unreachable initializer in `i18ntk-usage.js` that was supposed to set default `includeExtensions` but never ran because `supportedExtensions` was always set by `config-helper.js`. Added `.vue` and `.svelte` to the fallback for completeness.
40
+
8
41
  ## [4.5.2] - 2026-06-19
9
42
 
10
43
  ### Fixed
44
+
11
45
  - **Complete (Namespace Wrapper):** Fixed critical bug where missing keys were inserted at the wrong nesting level in target locale files. When a file (e.g., `auth.json`) contains a namespace wrapper matching its filename (`{ "auth": { ... } }`), the `complete` command now detects this wrapper and inserts keys inside it (`auth.panel.sign_in`) instead of at root level (`panel.sign_in`). This prevents runtime lookup failures for `t("auth.panel.sign_in")`.
12
46
  - **Translate (--output-dir):** Fixed bug where the `--output-dir` flag wrote translated files directly to `<output-dir>/<filename>` instead of `<output-dir>/<targetLang>/<filename>`. This caused all translations (regardless of target language) to land in the same directory, silently overwriting files from other languages in multi-language projects. When `args.outputDir` is provided, `processFile()` now appends `targetLang` to construct the correct output path.
13
47
 
14
48
  ### Tests
49
+
15
50
  - Added `tests/regression-v452.test.js` with 18 regression tests covering:
16
51
  - Complete command namespace wrapper detection (parseKeyPath, setNestedValue, hasNestedKey, wrapper detection logic)
17
52
  - Validate getAllKeys leaf-only mode and completeness calculation
@@ -19,7 +54,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
19
54
  - Scanner source directory fallback when sourceDir equals i18nDir
20
55
  - Doctor auto-detection of languages from i18n directory
21
56
  - Version consistency across package files
22
- - Added `--output-dir` target language subdirectory tests to `tests/regression-v452.test.js`: verifies `processFile()` places output in `<outputDir>/<targetLang>/<file>` and that CLI `--output-dir` produces the correct nested path
57
+ - Added `--output-dir` target language subdirectory tests to `tests/regression-v452.test.js`: verifies `processFile()` places output in `<outputDir>/<targetLang>/<file>` and that CLI `--output-dir` produces the correct nested path
23
58
  - Added 8 tests in `tests/usage-insights.test.js` for hardcoded text false-positive filtering:
24
59
  - JS/TS built-in type name rejection (Promise, Boolean, String)
25
60
  - Code expression operator rejection (&&, ||, ===, !==, =>)
@@ -29,6 +64,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
29
64
  ## [4.5.1] - 2026-06-19
30
65
 
31
66
  ### Fixed
67
+
32
68
  - **Complete:** Fixed wrong nesting level when adding missing keys to target locale files that have a namespace wrapper matching the file name. Previously, `parseKeyPath("auth.panel.sign_in")` returned `{ file: "auth.json", key: "panel.sign_in" }`, and `setNestedValue` inserted `panel` at the root level instead of inside the existing `auth` wrapper. The fix detects namespace wrappers (e.g., `auth.json` containing `{ "auth": { ... } }`) and prepends the namespace to the insertion path so keys go inside the wrapper.
33
69
  - **Validate:** `getAllKeys()` no longer reports parent namespace objects (e.g., `footer`) as missing keys alongside their leaf children (`footer.copyright`). Only leaf (string) keys are now compared during structural validation.
34
70
  - **Validate:** Completion percentage now compares against source locale total keys, not target locale self-count. A locale with 14 of 42 source keys now correctly shows 33% instead of 100%.
@@ -39,12 +75,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
39
75
  ## [4.5.0] - 2026-06-19
40
76
 
41
77
  ### Security — Prototype Pollution Hardened
78
+
42
79
  - **safe-json.js:** Added `stripPrototypePollution()` function that recursively filters `__proto__`, `constructor`, and `prototype` keys from parsed JSON locale files. Applied to all `readJsonSafe()` calls.
43
80
  - **runtime/index.js:** `deepMerge()` now blocks `__proto__`, `constructor`, and `prototype` keys during locale data merging. `readJsonSafe()` now applies `stripPrototypeKeys()` to all parsed JSON, ensuring prototype pollution protection at runtime data ingestion point.
44
81
  - **settings-manager.js:** `mergeWithDefaults()` now filters prototype pollution keys from user-supplied settings before spreading into defaults.
45
82
  - **safe-json.js:** Exported `stripPrototypePollution` for use by other modules.
46
83
 
47
84
  ### Fixed
85
+
48
86
  - **Backup:** Removed duplicate `const sourceDir` declaration that caused SyntaxError at module load (was unrecoverable crash for all backup operations).
49
87
  - **Backup:** Added `try/catch` around `JSON.parse()` in restore path to handle corrupt backup files gracefully with a descriptive error message.
50
88
  - **Complete:** Added missing `getUnifiedConfig` import from `utils/config-helper` (was ReferenceError at runtime).
@@ -56,6 +94,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
56
94
  - **i18n-helper:** `stripBOMAndComments()` now safely handles null/undefined inputs.
57
95
 
58
96
  ### Changed
97
+
59
98
  - **Version:** Bumped to 4.5.0 (minor version due to scope and severity of security fixes).
60
99
  - **i18n-helper deepMerge:** Synchronized with runtime `deepMerge` — now uses `Object.keys` (safe) instead of `for...in`, handles null target/fallback, and filters `__proto__`/`constructor`/`prototype` keys for consistent prototype pollution protection across all code paths.
61
100
  - **Testing:** Added `tests/edge-case-hardening.test.js` with 33 new tests covering prototype pollution protection, SecurityUtils edge cases, backup corrupt handling, report malformed JSON resilience, validation risk detection null-safety, config manager robustness, version consistency, and deepMerge edge cases.
@@ -64,6 +103,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
64
103
  ## [4.4.5] - 2026-06-08
65
104
 
66
105
  ### Fixed
106
+
67
107
  - Removed orphaned duplicate code block from `main/i18ntk-scanner.js` that caused a SyntaxError when loading the scanner CLI.
68
108
  - Fixed `utils/safe-json.js` where a duplicate `readJsonSafe` function overwrote the SecurityUtils-based implementation with an insecure version that referenced an undefined `fs` variable.
69
109
  - Added periodic cache eviction to `missingKeyCache` in `utils/i18n-helper.js` to prevent unbounded memory growth in long-running processes.
@@ -78,43 +118,51 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
78
118
  - **Security:** `validateConfig` now runs `isSafePath` validation on absolute paths instead of skipping them entirely (`return` in forEach was bypassing all checks for absolute config paths).
79
119
 
80
120
  ### Added
121
+
81
122
  - **Framework detection:** Added support for ngx-translate (Angular), next-intl (Next.js), nuxt-i18n (Nuxt), svelte-i18n (Svelte), and solid-i18n (Solid) framework detection via dependency lookup.
82
123
  - `detectFramework()` now also checks the `dependencies` property as a fallback for the `deps` array, ensuring backward compatibility.
83
124
  - Created `tests/fixtures/test.json` fixture so file system security tests validate real file reads instead of passing vacuously.
84
125
 
85
126
  ### Changed
127
+
86
128
  - Removed dead `{ gte }` import from `version-utils` and unused `FRAMEWORK_COMPATIBILITY` object from `framework-detector.js`.
87
129
  - Security test `logSecurityEvent` now properly sets `I18NTK_DEBUG` and `I18NTK_ENABLE_SECURITY_LOGS` env vars and uses try/catch to verify non-throw behavior.
88
130
  - `validateConfig` "reject invalid configuration" test now uses `assert.strictEqual` for stronger path traversal assertions.
89
131
 
90
- ## [4.4.4] - 2026-06-05
91
-
92
- ### Fixed
93
- - Likely-untranslated reporting now ignores placeholder-only and symbol/dynamic values such as `{file}`, `{path}`, and icon-prefixed labels instead of treating them as untranslated English.
94
- - Dynamic values with translated surrounding copy and English placeholder tokens, such as `"command": "指示: {command}"`, are no longer flagged as untranslated.
95
-
96
- ### Changed
97
- - `.i18ntk-config` now accepts a top-level `extensions` object for VS Code Workbench and Lens settings. The CLI preserves this section during config validation and ignores unknown extension-owned nested keys.
98
- - Documented shared config edge cases so editor extensions can sync workspace defaults without changing CLI behavior.
99
-
100
- ## [4.4.3] - 2026-06-04
101
-
102
- ### Fixed
132
+ ## [4.4.4] - 2026-06-05
133
+
134
+ ### Fixed
135
+
136
+ - Likely-untranslated reporting now ignores placeholder-only and symbol/dynamic values such as `{file}`, `{path}`, and icon-prefixed labels instead of treating them as untranslated English.
137
+ - Dynamic values with translated surrounding copy and English placeholder tokens, such as `"command": "指示: {command}"`, are no longer flagged as untranslated.
138
+
139
+ ### Changed
140
+
141
+ - `.i18ntk-config` now accepts a top-level `extensions` object for VS Code Workbench and Lens settings. The CLI preserves this section during config validation and ignores unknown extension-owned nested keys.
142
+ - Documented shared config edge cases so editor extensions can sync workspace defaults without changing CLI behavior.
143
+
144
+ ## [4.4.3] - 2026-06-04
145
+
146
+ ### Fixed
147
+
103
148
  - `package.public.json` now includes the `./report` export entry (`./utils/report-model.js`) that was missing, fixing the sync check during public package builds.
104
149
 
105
- ## [4.4.2] - 2026-06-02
106
-
107
- ### Fixed
108
- - Auto Translate `processFile()` now accepts source file paths relative to the current project, matching direct CLI behavior and avoiding safe-read failures in programmatic callers.
109
- - Auto Translate now treats protected product terms as allowed English when deciding whether existing target values should be kept in `only-missing` mode.
110
- - Auto Translate detects and retries more visibly broken target values, including replacement-character artifacts, mojibake, repeated question marks, and target-language prefix leftovers.
111
-
112
- ### Added
113
- - Added regression coverage for relative source paths, protected product terms, broken target values, placeholder handling, and managed Auto Translate residual checks.
114
-
115
- ## [4.4.1] - 2026-06-02
116
-
117
- ### Security
150
+ ## [4.4.2] - 2026-06-02
151
+
152
+ ### Fixed
153
+
154
+ - Auto Translate `processFile()` now accepts source file paths relative to the current project, matching direct CLI behavior and avoiding safe-read failures in programmatic callers.
155
+ - Auto Translate now treats protected product terms as allowed English when deciding whether existing target values should be kept in `only-missing` mode.
156
+ - Auto Translate detects and retries more visibly broken target values, including replacement-character artifacts, mojibake, repeated question marks, and target-language prefix leftovers.
157
+
158
+ ### Added
159
+
160
+ - Added regression coverage for relative source paths, protected product terms, broken target values, placeholder handling, and managed Auto Translate residual checks.
161
+
162
+ ## [4.4.1] - 2026-06-02
163
+
164
+ ### Security
165
+
118
166
  - **HIGH**: Backup operations (`create`, `restore`, `list`, `verify`) now validate all path arguments via `SecurityUtils.validatePath()`. Previously, `i18ntk-backup` accepted arbitrary `--output` and source directory paths without any validation, enabling writes outside project boundaries.
119
167
  - **HIGH**: Backup `handleCreate`, `handleRestore` now use `SecurityUtils.safeWriteFileSync`, `safeReadFileSync`, `safeMkdirSync` instead of raw `fs.promises`/`fs` calls.
120
168
  - **HIGH**: `i18ntk-complete` now validates `--source-dir` CLI override through `SecurityUtils.validatePath()` and sanitizes `--source-language` through `SecurityUtils.sanitizeInput()` instead of accepting raw user input.
@@ -127,11 +175,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
127
175
  - **LOW**: i18ntk Lens `scanner.ts` now rejects custom wrapper names > 100 characters to prevent ReDoS via malicious VSCode config values.
128
176
 
129
177
  ### Added
178
+
130
179
  - `SecurityUtils.MAX_JSON_SIZE`, `SecurityUtils.MAX_JSON_DEPTH`, `SecurityUtils.MAX_FILENAME_LENGTH` constants for configurable safety limits.
131
180
 
132
181
  ## [4.4.0] - 2026-06-02
133
182
 
134
183
  ### Added
184
+
135
185
  - Dead-key detection now uses resolved dynamic key data from usage insights instead of crude text-overlap heuristics. Keys expanded from template literals or const arrays are properly tracked and marked with low confidence.
136
186
  - Locale JSON import detection: `import en from '../../locales/en/foo.json'` is detected and property accesses are tracked as key usages.
137
187
  - Confidence-split unused key reports: confirmed (≥80%), likely (40-80%), possibly used (<40%).
@@ -150,10 +200,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
150
200
  - i18ntk Workbench and i18ntk Lens can read Auto Translate residual reports, show the affected key in the VS Code editor, and offer a quick action to add intentionally unchanged keys to Auto Translate protection.
151
201
  - Bounded dynamic expansion suggestions in usage report with explicit-map recommendation pattern.
152
202
  - Telemetry/event literal classification: known-key strings inside `trackEvent()`, `emitDomainEvent()`, `analytics.track()`, etc. are classified as `literal-telemetry` and excluded from translation usage counts. Non-translation calls get context notes in the report.
153
- - Object-method translation calls: `input.tx("key")`, `helper.tx("key")`, and `.tx(\`key.${var}\`)` are now recognized as translation calls alongside standalone `tx()`.
203
+ - Object-method translation calls: `input.tx("key")`, `helper.tx("key")`, and `.tx(\`key.${var}\`)`are now recognized as translation calls alongside standalone`tx()`.
154
204
  - Local wrapper resolution: functions like `const text = (key, fallback) => tx(key)` that internally call known translation runtimes are detected and their string-literal invocations resolved to keys with `local-wrapper` match type.
155
205
 
156
206
  ### Fixed
207
+
157
208
  - `--source-dir` and `--i18n-dir` no longer forced to the same value when both are explicitly passed via CLI.
158
209
  - Path display (`displayPaths`) now reflects CLI overrides instead of only config file values.
159
210
  - Dead-key detection `_matchesDynamicPattern` replaced with `_matchesDynamicPrefix` using actual resolved data.
@@ -162,12 +213,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
162
213
  - Object-method `tx()` calls and local wrapper functions are now included in usage analysis, preventing Lens false positives on keys used through these patterns.
163
214
 
164
215
  ### Changed
216
+
165
217
  - VSCode workbench bumped to 1.1.0, lens extension to 1.1.0.
166
218
  - Major changes list in package.json and package.public.json updated for 4.4.0.
167
219
 
168
220
  ## [4.3.3] - 2026-06-01
169
221
 
170
222
  ### Fixed
223
+
171
224
  - Usage extraction no longer reports ordinary method calls such as `get("next")`, `headers.get("etag")`, `set(...)`, or `setItem(...)` as missing translation keys.
172
225
  - Usage insights now resolve `tx(...)` wrapper calls and bounded dynamic `tx` template keys, reducing false unused-key reports for local wrappers.
173
226
  - Key naming validation now supports hybrid dot-path plus snake_case segment keys, such as `namespace.section.snake_case_leaf`, while still rejecting malformed separators and uppercase segments.
@@ -176,12 +229,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
176
229
  ## [4.3.2] - 2026-05-31
177
230
 
178
231
  ### Changed
232
+
179
233
  - Documentation, README badges, and migration guidance now reference the current 4.3.2 release.
180
234
  - Release metadata now marks 4.3.0 for npm deprecation because its npm tarball is unavailable.
181
235
 
182
236
  ## [4.3.1] - 2026-05-31
183
237
 
184
238
  ### Fixed
239
+
185
240
  - Published tarball now includes `utils/english-placeholder-checker.js`, resolving `MODULE_NOT_FOUND` at startup for `i18ntk-fixer --check-placeholders` and manager option 7.
186
241
  - Language-specific CLI entry points (`main/i18ntk-go.js`, `main/i18ntk-java.js`, `main/i18ntk-js.js`, `main/i18ntk-php.js`, `main/i18ntk-py.js`) and their shared `utils/mini-commander.js` dependency are now included in the published package.
187
242
  - Removed inconsistent `.js` extension suffixes from require paths in `main/i18ntk-js.js`.
@@ -189,6 +244,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
189
244
  ## [4.3.0] - 2026-05-31
190
245
 
191
246
  ### Fixed
247
+
192
248
  - Auto Translate now treats single-word uppercase target-language placeholders such as `[AR] Email` and `[AR] Password` as untranslated target values, matching the existing multi-word `[AR] What We Offer` detection.
193
249
  - Auto Translate now treats bracketed target-language placeholders case-insensitively, so `[zh] Email` and `[TR] Password` are both retried for the matching target language.
194
250
  - Managed Auto Translate now checks every selected source file for a target language before reporting leftover failures, instead of stopping after the first failed file.
@@ -199,11 +255,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
199
255
  ## [4.2.1] - 2026-05-31
200
256
 
201
257
  ### Changed
258
+
202
259
  - Auto Translate now treats uppercase target-language placeholders such as `[AR] What We Offer` as untranslated target values when the bracketed code matches the target language, so target-aware mode sends the source text for translation instead of keeping the placeholder copy.
203
260
  - Auto Translate now performs a final pre-write leftover check and retries values that still look like placeholder-prefixed untranslated text, untranslated markers, source-language copies, or broken output.
204
261
  - Auto Translate reports leftover values in the post-translation report and exits with validation failure when leftovers remain after the final retry, instead of reporting a clean completion.
205
262
 
206
263
  ### Fixed
264
+
207
265
  - Usage analysis no longer writes its inferred app source fallback, such as `src`, back into the shared locale configuration when `sourceDir` and `i18nDir` are both the locale directory.
208
266
  - Manager sizing now reads the configured i18n directory unless `--source-dir` is explicitly provided, so running sizing after usage no longer silently analyzes the wrong directory.
209
267
  - Manager sizing now treats a failed sizing analysis as a command failure instead of printing a generic operation success.
@@ -212,6 +270,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
212
270
  ## [4.2.0] - 2026-05-30
213
271
 
214
272
  ### Security
273
+
215
274
  - Shared path validation no longer permits artifact-like filenames such as `.lock` or `.temp-config.json` to bypass base-directory containment.
216
275
  - Shared path validation now rejects Windows cross-drive escape cases where `path.relative()` returns an absolute path.
217
276
  - Custom `I18NTK_INTERNAL_PATH_PREFIXES` entries can no longer mark arbitrary outside directories as internal roots.
@@ -220,6 +279,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
220
279
  - Auto Translate provider URL validation now blocks IPv4-mapped IPv6 loopback/private hosts.
221
280
 
222
281
  ### Changed
282
+
223
283
  - Main runtime now includes production-safe features from the enhanced runtime surface: per-call language overrides, synchronous `translateBatch()`, and `clearCache()` / `getCacheInfo()` helpers.
224
284
  - `i18ntk/runtime/enhanced` remains available as a legacy public subpath for compatibility, while new production integrations should prefer the lightweight `i18ntk/runtime` API.
225
285
  - Usage analysis now indexes known translation keys back to source files, including direct i18n calls and literal key references that were previously missed.
@@ -242,6 +302,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
242
302
  - Updated public, root, and development package metadata for the 4.2.0 release line.
243
303
 
244
304
  ### Fixed
305
+
245
306
  - Runtime JSON loading now preserves valid translation strings containing comment-like text such as `/* token */` by parsing valid JSON before using the comment-stripping fallback.
246
307
  - Enhanced runtime now exports the top-level `translateBatch()`, `translateBatchEncrypted()`, and `tTyped()` helpers declared by its TypeScript definitions, and those declarations now reflect async return values.
247
308
  - Usage analysis no longer scans the project root when `sourceDir` and `i18nDir` both point at the locale directory; it now uses a detected app source directory or disables usage scanning with a clear warning.
@@ -258,6 +319,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
258
319
  ## [4.1.0] - 2026-05-21
259
320
 
260
321
  ### Fixed
322
+
261
323
  - Runtime: stale manifest entries (deleted files after manifest construction) no longer cause unhandled exceptions; loadedFiles set before load with try/catch guard.
262
324
  - Runtime: `refresh()` now correctly clears the key manifest for the refreshed language, preventing stale file references.
263
325
  - Runtime: null `baseDir` guard prevents cascading `validatePath(null)` errors in `loadKeyManifestFromDir`.
@@ -275,7 +337,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
275
337
  - Watch: debounce `setTimeout` timers are now stored per-watcher and cleared on `emitter.stop()`, preventing memory leaks and spurious I/O after stop.
276
338
  - Watch: `'unlink'` events are now subscribed for backward-compatible plain-function callback users.
277
339
  - Usage: duplicate `require.main === module` block removed (caused `TypeError: Identifier 'main' has already been declared` at execution).
278
- - Usage: `_keyInSourceComments` optimized from O(n*m) to O(n+m) by pre-computing a `Set` of all comment strings once before the dead key loop.
340
+ - Usage: `_keyInSourceComments` optimized from O(n\*m) to O(n+m) by pre-computing a `Set` of all comment strings once before the dead key loop.
279
341
  - Usage: `--cleanup=false` and `--dry-run-delete=false` now correctly parse as falsy via `toBool()` helper.
280
342
  - Usage: broken `detectFrameworkPatterns()` call with `undefined` arguments removed.
281
343
  - Usage: dead `return;` in `analyze()` removed so the result object is now actually returned.
@@ -295,6 +357,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
295
357
  - Public package metadata updated.
296
358
 
297
359
  ### Security
360
+
298
361
  - Watch module: debounce timers properly cleaned up on stop and callback subscriptions corrected for object-format and unlink handlers.
299
362
  - Runtime: loadedFiles lock-before-load pattern prevents duplicate I/O and stale manifest crash.
300
363
  - Backup: circular parent reference detection; `--incremental=false` string truthy bypass closed.
@@ -307,6 +370,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
307
370
  ## [4.0.0] - 2026-05-21
308
371
 
309
372
  ### Added
373
+
310
374
  - **Sizing Expansion Prediction**: `i18ntk-sizing` now supports `--predict-expansion` flag that computes per-key character-count expansion ratios across languages and classifies them into Safe/Warning/Critical risk tiers for UI layout planning. Includes a built-in language-pair expansion reference table (EN→DE 35%, EN→RU 50%, EN→JA -40%, etc.).
311
375
  - **Watch Hot Reload**: `utils/watch-locales.js` rewritten as an EventEmitter-compatible watcher with debouncing (300ms default) and SHA-256 hash tracking to skip no-change saves. Returns a callable watcher object with `change`, `add`, `unlink`, `error` events and `stop()`.
312
376
  - **Usage Dead Key Detection**: `i18ntk-usage` adds `--cleanup` and `--dry-run-delete` flags that identify unused translation keys with confidence scores (0.0–1.0) factoring dynamic access patterns, comment references, and file recency. Produces a `.dead-keys.json` report for safe review before deletion.
@@ -317,28 +381,34 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
317
381
  - **Protection Context-Aware Rules**: `utils/translate/protection.js` extends the protection config schema to support context rules (`after:word`, `before:word`, `standalone`, `surrounded:left,right`). Plain string terms remain fully backward compatible. Total context rules capped at 100.
318
382
 
319
383
  ### Fixed
384
+
320
385
  - `i18ntk/runtime` `initRuntime()` now returns independent runtime instances with separate language, fallback language, base directory, and cache state. Later `initRuntime()` calls no longer overwrite earlier returned runtimes or the module-level compatibility singleton.
321
386
 
322
387
  ### Changed
388
+
323
389
  - `watchLocales()` now returns a callable watcher object with EventEmitter methods instead of only a bare `stop` function. Existing `const stop = watchLocales(...); stop();` usage remains supported. The returned object fires `change`, `add`, `unlink`, `error` events. If a callback function is passed as the second argument, it is auto-subscribed to `change` and `add` for backward compatibility.
324
390
  - **BREAKING**: `i18ntk-sizing` JSON reports now include `expansionPredictions` at the top level when `--predict-expansion` is used. This field is additive — existing report fields are preserved.
325
391
 
326
392
  ## [3.3.0] - 2026-05-20
327
393
 
328
394
  ### Changed
395
+
329
396
  - Auto Translate now supports `--provider google|deepl|libretranslate`; DeepL uses `DEEPL_API_KEY`, while LibreTranslate supports `LIBRETRANSLATE_URL` and optional `LIBRETRANSLATE_API_KEY`.
330
397
  - Auto Translate provider networking now keeps HTTPS, host allowlist, response-size, private-network, and redacted security logging protections in place for additional providers.
331
398
 
332
399
  ### Fixed
400
+
333
401
  - `i18ntk-complete` now fills missing target-language keys from the English source value with a language prefix such as `[DE] Home` instead of writing `NOT_TRANSLATED`; this works for both `locales/en/*.json` and monolith `locales/en.json` layouts.
334
402
 
335
403
  ### Security
404
+
336
405
  - Eliminated all 21 dynamic `require()` calls flagged by Socket.dev: 20 `require(path.join(__dirname, ...))` patterns in `i18ntk-js.js`, `i18ntk-py.js`, `i18ntk-java.js`, `i18ntk-php.js`, and `i18ntk-go.js` converted to static string literal requires.
337
406
  - Added `SecurityUtils.validatePath()` gate around the remaining dynamic `require()` in `i18ntk-translate.js` `loadCustomTranslateFn`.
338
407
  - Created `utils/translate/safe-network.js` — a secure HTTPS wrapper with URL host/path allowlist validation, response size limits (100KB), suspicious query parameter detection, and security event logging. All outbound network access now flows through this validated layer.
339
408
  - Replaced direct `https.get` call in `utils/translate/api.js` with `safeHttpGet` from the safe-network wrapper.
340
409
 
341
410
  ### Docs
411
+
342
412
  - README.md updated for v3.3.0 Auto Translate providers and secure provider operations.
343
413
  - SECURITY.md updated with Socket.dev analysis disclaimer and guidance on expected alerts for a CLI/i18n toolkit.
344
414
  - CHANGELOG.md and `package.json` versionInfo updated for v3.3.0.
@@ -347,18 +417,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
347
417
 
348
418
  This package is a developer CLI and runtime helper that performs file I/O, network access (translation provider APIs on user request), and environment variable access. As such, Socket.dev will flag the following alerts that are **expected and by design**:
349
419
 
350
- | Alert | Why it's expected |
351
- |---|---|
352
- | Network access | Only contacts configured translation providers via HTTPS when user invokes auto-translate. All outbound calls flow through `safe-network.js` with host/path allowlist validation, response size limits, private-network blocking, and redacted security event logging. No telemetry, no unexpected outbound calls. |
353
- | Environment variable access | Centralized through `env-manager.js` with a strict allowlist. Blocks `SECRET`, `PASSWORD`, `KEY`, `TOKEN`, `AWS_*`, `NPM_*`, and 15+ other patterns. |
354
- | Filesystem access | Reads/writes only project locale files and reports within validated paths. All FS operations gated by `SecurityUtils.validatePath`. |
355
- | URL strings | Hardcoded default provider URLs for Google, DeepL, and LibreTranslate used only for auto-translation. No external resource loading. |
420
+ | Alert | Why it's expected |
421
+ | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
422
+ | Network access | Only contacts configured translation providers via HTTPS when user invokes auto-translate. All outbound calls flow through `safe-network.js` with host/path allowlist validation, response size limits, private-network blocking, and redacted security event logging. No telemetry, no unexpected outbound calls. |
423
+ | Environment variable access | Centralized through `env-manager.js` with a strict allowlist. Blocks `SECRET`, `PASSWORD`, `KEY`, `TOKEN`, `AWS_*`, `NPM_*`, and 15+ other patterns. |
424
+ | Filesystem access | Reads/writes only project locale files and reports within validated paths. All FS operations gated by `SecurityUtils.validatePath`. |
425
+ | URL strings | Hardcoded default provider URLs for Google, DeepL, and LibreTranslate used only for auto-translation. No external resource loading. |
356
426
 
357
427
  The v3.3.0 release resolves the actionable dynamic-require alert by eliminating all 21 instances.
358
428
 
359
429
  ## [3.2.0] - 2026-05-16
360
430
 
361
431
  ### Security
432
+
362
433
  - **CRITICAL**: Fixed invalid `crypto.createCipherGCM`/`createDecipherGCM` API calls in `admin-pin.js` — replaced with `crypto.createCipheriv`/`createDecipheriv`.
363
434
  - **CRITICAL**: Fixed missing `SecurityUtils` imports in `admin-pin.js`, `security-config.js`, and `scripts/security-check.js` causing `ReferenceError` at runtime.
364
435
  - **CRITICAL**: Removed encryption key stored alongside ciphertext in `admin-pin.js`. The AES key was stored in the same JSON file as the encrypted PIN, providing zero cryptographic protection. Encryption key is now derived via HKDF from the scrypt hash.
@@ -371,6 +442,7 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
371
442
  - Fixed `admin-pin.js` `getPinDisplay` to use stored `pinLength` instead of decrypting the raw PIN into memory.
372
443
 
373
444
  ### Fixed
445
+
374
446
  - `admin-pin.js` lockout now uses timestamp-based expiry (`lockedUntil`) instead of `setTimeout`, ensuring lockout state survives process restarts.
375
447
  - `translate/traverse.js` `setLeaf` now correctly creates `[]` for numeric array indices (was creating `{}`).
376
448
  - `translate/traverse.js` extracted shared `parseKeyPath` function — `setLeaf` and `getLeaf` had duplicate path-parsing logic.
@@ -390,6 +462,7 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
390
462
  - `admin-pin.js` scrypt→pbkdf2 fallback now emits a console warning instead of failing silently.
391
463
 
392
464
  ### Changed
465
+
393
466
  - Updated all documentation to v3.2.0: README, CHANGELOG, docs/README, getting-started, runtime, auto-translate, environment-variables, scanner-guide, API_REFERENCE, COMPONENTS, and CONFIGURATION.
394
467
  - Updated `package.json` version, `versionInfo`, `majorChanges`, and `nextVersion` for v3.2.0.
395
468
  - Socket badge URL updated to v3.2.0.
@@ -397,31 +470,37 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
397
470
  ## [3.1.2] - 2026-05-07
398
471
 
399
472
  ### Fixed
473
+
400
474
  - Auto Translate now resolves locale roots such as `./locales` to the selected source-language folder such as `./locales/en` when JSON files are stored under language folders.
401
475
  - Public package staging now verifies root `package.json` and `package.public.json` release metadata are synchronized before pack or publish.
402
476
  - Added a safe `publish:public:dry-run` path for validating the exact staged npm publish flow.
403
477
 
404
478
  ### Changed
479
+
405
480
  - Updated release docs, npm README metadata, and package manifests for v3.1.2.
406
481
  - Kept generated backups, temporary benchmark datasets, local setup state, and debug repair files out of future public repo commits through `.gitignore`.
407
482
 
408
483
  ## [3.1.1] - 2026-05-07
409
484
 
410
485
  ### Added
486
+
411
487
  - **Auto Translate protection file workflow**: Added user-editable `i18ntk-auto-translate.json` support for protected terms, key paths, exact values, and regex patterns.
412
488
  - **Public package README guard**: Public package staging now verifies `README.md` is included and non-empty before publish.
413
489
 
414
490
  ### Changed
491
+
415
492
  - Updated README and release documentation for the current Auto Translate protection workflow and public package contents.
416
493
  - Removed project-specific hardcoded validation examples so users configure their own brand and domain terms.
417
494
 
418
495
  ### Fixed
496
+
419
497
  - Removed provider-shaped fake secret fixtures from tests to avoid GitHub push protection false positives.
420
498
  - Ensured public package metadata includes `readmeFilename: "README.md"` so npm can render the package README.
421
499
 
422
500
  ## [3.1.0] - 2026-05-07
423
501
 
424
502
  ### Added
503
+
425
504
  - **Placeholder-preserve translation mode**: Translates text segments around dynamic placeholders and reinserts the original tokens exactly.
426
505
  - **Auto Translate beta settings**: Added settings for placeholder mode, concurrency, batch size, progress interval, retry count, retry delay, timeout, dry-run preview, report output, and BOM output.
427
506
  - **Large-file tuning flags**: Added `--batch-size` and `--progress-interval` to `i18ntk-translate`.
@@ -430,6 +509,7 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
430
509
  - **Sizing file-set analysis**: Added per-language file counts, per-file sizing statistics, and missing/extra file comparison across locale folders.
431
510
 
432
511
  ### Changed
512
+
433
513
  - Automated and manager Auto Translate flows now default to placeholder `preserve` mode instead of skipping placeholder-bearing strings.
434
514
  - `i18ntk-translate` can now be imported and run in-process by other package modules.
435
515
  - Source JSON reads tolerate UTF-8 BOM-prefixed files.
@@ -438,17 +518,20 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
438
518
  - Sizing reports now include folder-level file counts and per-file key/character breakdowns for each language.
439
519
 
440
520
  ### Fixed
521
+
441
522
  - Fixed false-positive validation warnings for normal product copy terms.
442
523
  - Fixed validator handling so ordinary explanatory uses of words like `token` or `secret` are not treated as leaked credentials.
443
524
  - Fixed distorted `i18ntk-sizing` table output by rendering aligned columns from measured values instead of fixed localized spacing.
444
525
  - Fixed sizing language comparison output so it uses analyzed languages and the configured source language baseline.
445
526
 
446
527
  ### Security
528
+
447
529
  - Removed production `child_process` usage from `main/manage/commands/TranslateCommand.js` by replacing the spawned CLI process with an in-process translator call.
448
530
 
449
531
  ## [3.0.0] - 2026-05-05
450
532
 
451
533
  ### Added
534
+
452
535
  - **`i18ntk-translate`**: Zero-dependency CLI tool that converts English source JSON locale files into any target language via Google's free Translate API.
453
536
  - **Placeholder protection**: Intelligent detection, masking, and unmasking of dynamic placeholder tokens (`{name}`, `{{count}}`, `%d`, `%s`, `:param`, `{{variable}}`, `%{name}`, `${var}`, etc.) to prevent corruption during translation.
454
537
  - **Custom regex support**: `--custom-regex` flag to define additional placeholder patterns for detection and protection.
@@ -463,11 +546,13 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
463
546
  - **Deep JSON traversal**: Full support for nested objects and arrays, preserving data types, null values, and non-string leaf values.
464
547
 
465
548
  ### Changed
549
+
466
550
  - Version bumped to 3.0.0 (major release with new translation tool feature).
467
551
 
468
552
  ## [2.6.0] - 2026-05-03
469
553
 
470
554
  ### Security
555
+
471
556
  - **CRITICAL**: Fixed 8+ silent-write failures where `safeWriteFileSync` was called without basePath parameter across `utils/config.js`, `utils/config-helper.js`, `utils/secure-errors.js`, and `main/i18ntk-scanner.js`.
472
557
  - Replaced all raw `fs` calls (`readdirSync`, `statSync`, `mkdirSync`, `unlinkSync`, `rmSync`) with `SecurityUtils` wrappers in `main/i18ntk-validate.js`, `main/i18ntk-scanner.js`, `main/manage/commands/FixerCommand.js`, and `utils/secure-errors.js`.
473
558
  - Fixed path traversal checks in `security.js` and `config-manager.js` — replaced fragile `path.sep`-based comparison with robust `startsWith('..')` prefix check.
@@ -475,6 +560,7 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
475
560
  - Fixed `SecurityUtils.safeParseJSON` reference leak — deep-clones objects instead of returning caller's reference.
476
561
 
477
562
  ### Fixed
563
+
478
564
  - Fixed `main/i18ntk-analyze.js` `this.adminAuth` reference error (local variable was not assigned to instance property).
479
565
  - Fixed `main/i18ntk-validate.js` `ExitCodes.CONFIG_ERROR` referenced before declaration.
480
566
  - Fixed `main/i18ntk-scanner.js` `fs.readdirSync(projectRoot, { recursive: true })` removed (unsupported in older Node.js).
@@ -491,37 +577,45 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
491
577
  - Fixed `utils/admin-auth.js` `uncaughtException` handler wrong parameter format.
492
578
 
493
579
  ### Added
580
+
494
581
  - `SecurityUtils.safeUnlinkSync(filePath, basePath)` — safely delete a file.
495
582
  - `SecurityUtils.safeRmdirSync(dirPath, basePath)` — safely remove a directory.
496
583
 
497
584
  ### Changed
585
+
498
586
  - `configManager.resolvePaths`, `configManager.toRelative`, and config lock path now dynamically resolve via `getUserProjectRoot()`/`getProjectConfigPath()`.
499
587
  - `configManager.CONFIG_PATH` is now a getter that dynamically returns the project config path.
500
588
  - `configManager.migrateLegacyIfNeeded` exported for testability.
501
589
 
502
590
  ### TypeScript
591
+
503
592
  - Fixed `runtime/i18ntk.d.ts` `BasicI18nRuntime.translate` and `t` return types from `Promise<string>` to `string`.
504
593
 
505
594
  ### Scripts
595
+
506
596
  - Fixed `scripts/build-public-package.js` and `scripts/reset-release-state.js` `npm_execpath` fallback for missing env var.
507
597
  - Fixed `scripts/lint-locales.js` BOM handling and try-catch for `fs.readdirSync`.
508
598
 
509
599
  ## [2.5.1] - 2026-04-29
510
600
 
511
601
  ### Security
602
+
512
603
  - Fixed `AdminAuth.verifyPin()` to fail closed when admin config is missing, disabled, or malformed instead of returning success.
513
604
  - Fixed auth-required checks to fail closed when settings require admin PIN protection but the admin config is unusable.
514
605
  - Normalized admin session expiry handling by storing both `expires` and `expiresAt` and cleaning up both formats consistently.
515
606
 
516
607
  ### Added
608
+
517
609
  - Added regression tests for admin PIN fail-closed behavior and session expiry cleanup.
518
610
 
519
611
  ### Changed
612
+
520
613
  - Documented the public npm package staging flow introduced after `2.5.0`.
521
614
 
522
615
  ## [2.5.0] - 2026-04-29
523
616
 
524
617
  ### Security
618
+
525
619
  - Centralized environment-variable access behind the `utils/env-manager.js` allowlist.
526
620
  - Hardened `SecurityUtils.safeJoin()` and path validation against sibling-prefix containment bypasses.
527
621
  - Switched admin PIN hash verification to timing-safe comparison.
@@ -529,17 +623,20 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
529
623
  - Expanded the release security scanner to inspect nested production source files.
530
624
 
531
625
  ### Fixed
626
+
532
627
  - Fixed the manager fixer command so applied fixes are written to the same parsed object that is saved.
533
628
  - Fixed fixer writes for absolute source directories outside the current working directory.
534
629
  - Fixed debug-menu file reads to use `SecurityUtils` wrappers.
535
630
  - Fixed `secure-errors` to import its `SecurityUtils` dependency explicitly.
536
631
 
537
632
  ### Changed
633
+
538
634
  - Updated package and documentation metadata to `2.5.0`.
539
635
 
540
636
  ## [2.4.0] - 2026-04-16
541
637
 
542
638
  ### Changed
639
+
543
640
  - Disabled npm registry update-check behavior in CLI startup paths.
544
641
  - Disabled manager-route backup execution (`i18ntk --command=backup`); standalone `i18ntk-backup` remains available.
545
642
  - Disabled setup prerequisite command probing via `PATH` inspection.
@@ -548,6 +645,7 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
548
645
  ## [2.3.8] - 2026-04-13
549
646
 
550
647
  ### Added
648
+
551
649
  - Added centralized structured logger with standardized prefixes and configurable levels (`error`, `warn`, `info`, `debug`).
552
650
  - Added opt-in JSON log output for CI/build pipelines via `JSON_LOG=true`.
553
651
  - Added missing-translation-key cache TTL (5 minutes) to prevent repeated key-miss spam.
@@ -555,11 +653,13 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
555
653
  - Added test coverage for logger timing/progress/worker aggregation behavior.
556
654
 
557
655
  ### Fixed
656
+
558
657
  - Fixed repeated default-configuration fallback output by emitting a single fallback notice per process.
559
658
  - Fixed recursive security/i18n logging interactions that could trigger repeated warning cascades.
560
659
  - Fixed false-positive security warnings for internal package/project absolute paths through internal root whitelisting.
561
660
 
562
661
  ### Changed
662
+
563
663
  - Logging is now silent by default for non-critical output in production-like builds unless `DEBUG_MODE=true`.
564
664
  - Security warning reasons now use specific detection details instead of generic "dangerous patterns".
565
665
  - Updated package/docs/version metadata to `2.3.8`.
@@ -567,10 +667,12 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
567
667
  ## [2.3.7] - 2026-04-12
568
668
 
569
669
  ### Fixed
670
+
570
671
  - Removed false-positive path traversal warnings for safe absolute project paths during framework builds.
571
672
  - Reduced repeated default-configuration console noise in multi-worker build environments.
572
673
 
573
674
  ### Changed
675
+
574
676
  - Security event console logging is now fully opt-in via `I18NTK_ENABLE_SECURITY_LOGS=true` (or debug envs).
575
677
  - Config-manager diagnostic console logging is now fully opt-in via `I18NTK_ENABLE_LOGS=true` (or debug envs).
576
678
  - Updated docs to reflect new default-silent logging behavior and troubleshooting toggles.
@@ -578,16 +680,19 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
578
680
  ## [2.3.6] - 2026-04-12
579
681
 
580
682
  ### Security
683
+
581
684
  - **Fixed path traversal vulnerability** in temporary file creation
582
685
  - **Added `safeJoin` function** for secure path construction
583
686
  - **Improved path validation** throughout the codebase
584
687
 
585
688
  ### Fixed
689
+
586
690
  - Hardened settings reset and backup cleanup paths to reduce risk of broad/deep unintended file deletion.
587
691
  - Hardened backup command path handling to keep source/output/restore operations inside project boundaries by default.
588
692
  - Fixed backup-class async file operations to consistently use `fs.promises` APIs.
589
693
 
590
694
  ### Changed
695
+
591
696
  - **Silent security logging by default**: Info-level messages suppressed, warnings/errors shown
592
697
  - **Debug mode**: Enable verbose logging with `I18N_DEBUG=true`
593
698
  - **Centralized security logging**: All security events use `SecurityUtils.logSecurityEvent()`
@@ -597,76 +702,92 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
597
702
  ## [2.3.4] - 2026-04-12
598
703
 
599
704
  ### Fixed
705
+
600
706
  - Fixed runtime autosave behavior so configuration write failures no longer hard-throw through request/render paths.
601
707
  - Fixed config save race resilience by combining queued writes, cross-process lock files, and unique temp filenames per write.
602
708
 
603
709
  ### Added
710
+
604
711
  - Added `I18NTK_DISABLE_AUTOSAVE` support to skip disk persistence and keep in-memory config in server/runtime environments.
605
712
  - Added config-manager concurrency regression test covering parallel `saveConfig` calls.
606
713
 
607
714
  ### Changed
715
+
608
716
  - Updated package/docs/version metadata to `2.3.4`.
609
717
  - Updated support policy guidance to recommend upgrading from versions below `2.3.4`.
610
718
 
611
719
  ## [2.3.3] - 2026-04-12
612
720
 
613
721
  ### Fixed
722
+
614
723
  - Fixed production config persistence race across multiple Node processes by adding cross-process file locking for `.i18ntk-config` writes.
615
724
  - Fixed intermittent `ENOENT` during atomic config rename operations under concurrent production traffic.
616
725
 
617
726
  ### Changed
727
+
618
728
  - Updated package/docs/version metadata to `2.3.3`.
619
729
  - Updated support policy guidance to recommend upgrading from versions below `2.3.3`.
620
730
 
621
731
  ## [2.3.2] - 2026-04-12
622
732
 
623
733
  ### Added
734
+
624
735
  - Added startup npm-registry version checks that warn when the installed CLI is behind the latest published `i18ntk` release.
625
736
  - Added support for checking all published semver versions up to the current latest tag to improve outdated-version detection reliability.
626
737
 
627
738
  ### Fixed
739
+
628
740
  - Fixed fatal analyze-command startup failure in manager command flow caused by missing `validateSourceDir` import.
629
741
 
630
742
  ### Changed
743
+
631
744
  - Updated package/docs/version metadata to `2.3.2`.
632
745
  - Updated support policy guidance to recommend upgrading from versions below `2.3.2`.
633
746
 
634
747
  ## [2.3.1] - 2026-04-12
635
748
 
636
749
  ### Fixed
750
+
637
751
  - Fixed package export-path fallback in `utils/i18n-helper` that could trigger build warnings in production bundlers (`i18ntk/resources/i18n/ui-locales/en.json` not exported).
638
752
 
639
753
  ### Changed
754
+
640
755
  - Updated package/docs/version metadata to `2.3.1`.
641
756
  - Updated support policy guidance to recommend upgrading from versions below `2.3.1`.
642
757
 
643
758
  ## [2.3.0] - 2026-04-12
644
759
 
645
760
  ### Added
761
+
646
762
  - Added validation summary report output after validation runs.
647
763
  - Added init-time backup configuration prompt (default disabled, optional enable).
648
764
 
649
765
  ### Fixed
766
+
650
767
  - Fixed backup recursion/pollution risk by moving automated fixer backups to a dedicated backup root.
651
768
  - Fixed backup retention behavior to keep 1 by default with enforced bounds up to 3.
652
769
  - Fixed language discovery in validate/fixer flows to ignore backup/report directories.
653
770
 
654
771
  ### Changed
772
+
655
773
  - Updated package/docs/version metadata to `2.3.0`.
656
774
  - Updated support policy guidance to recommend upgrading from versions below `2.3.0`.
657
775
 
658
776
  ## [2.2.0] - 2026-04-12
659
777
 
660
778
  ### Added
779
+
661
780
  - Added an explicit upgrade/support notice in docs recommending upgrade from pre-`2.2.0` versions.
662
781
  - Added migration guide for `v2.2.0`.
663
782
 
664
783
  ### Fixed
784
+
665
785
  - Fixed critical sizing workflow regressions.
666
786
  - Fixed critical usage-analysis workflow regressions.
667
787
  - Fixed runtime locale optimizer dependency path after publish-surface cleanup.
668
788
 
669
789
  ### Changed
790
+
670
791
  - Reduced publish surface by excluding internal development scripts from npm package artifacts.
671
792
  - Excluded legacy fixed artifacts from package output (`main/manage/index-fixed.js`, `utils/security-fixed.js`).
672
793
  - Updated package/docs/version metadata to `2.2.0`.
@@ -674,15 +795,18 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
674
795
  ## [2.1.1] - 2026-04-11
675
796
 
676
797
  ### Added
798
+
677
799
  - Version bump to 2.1.1 for release.
678
800
  - Added `SecurityUtils.debugLog` function for consistent debugging.
679
801
 
680
802
  ### Fixed
803
+
681
804
  - Fixed `SecurityUtils.logSecurityEvent` calls missing `level` parameter in `i18ntk-usage` and `UsageService`.
682
805
  - Fixed `level.toLowerCase is not a function` error in usage analysis.
683
806
  - Fixed `SecurityUtils.debugLog is not a function` error in sizing analysis.
684
807
 
685
808
  ### Changed
809
+
686
810
  - Updated package and release metadata to `2.1.1`.
687
811
  - Removed legacy `resources/i18n/ui-locales` path references (use `ui-locales/` instead).
688
812
  - Updated all UI locale loading to use `ui-locales/` directory.
@@ -690,10 +814,12 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
690
814
  ## [2.1.0] - 2026-04-11
691
815
 
692
816
  ### Added
817
+
693
818
  - Added a v2.1.0 migration guide and updated release runbook references.
694
819
  - Added stricter language-directory filtering in analysis paths to ignore backup/report folders.
695
820
 
696
821
  ### Fixed
822
+
697
823
  - Fixed interactive menu command flow so it reliably returns to the main menu after command completion.
698
824
  - Fixed analysis progress output to report the correct processed-language count.
699
825
  - Fixed duplicate report-save output lines during analysis.
@@ -702,70 +828,84 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
702
828
  - Fixed locale-loading path fallback behavior to avoid noisy startup errors in global installs.
703
829
 
704
830
  ### Changed
831
+
705
832
  - Synchronized and normalized UI locale keys across `resources/i18n/ui-locales` and `ui-locales`.
706
833
  - Updated package/release metadata to `2.1.0`.
707
834
 
708
835
  ## [2.0.0] - 2026-01-01
709
836
 
710
837
  ### Added
838
+
711
839
  - Added missing runtime translation keys across `init`, `fixer`, `sizing`, `summary`, `usage`, and settings import/export flows.
712
840
  - Added `SecurityUtils.safeParseJSON`, `SecurityUtils.safeReadFile`, and `SecurityUtils.safeWriteFile` compatibility APIs used by v2 command paths.
713
841
  - Added source-locale bootstrap behavior during `init` when the source language directory exists but has no translation files.
714
842
 
715
843
  ### Fixed
844
+
716
845
  - Fixed initialization state detection to use project `.i18ntk-config` setup metadata as the v2 source of truth.
717
846
  - Fixed false setup-invalid states caused by BOM-encoded config files during setup checks.
718
847
  - Fixed config persistence risk by using atomic writes in `config-manager` save flow.
719
848
  - Fixed self-dependency metadata so the package remains zero-dependency in v2.
720
849
 
721
850
  ### Changed
851
+
722
852
  - Updated package release metadata for the v2 line (`versionInfo`, deprecations, nextVersion).
723
853
 
724
854
  ## [1.10.2] - 2025-08-23
725
855
 
726
856
  ### 🚨 Critical Fix
857
+
727
858
  - **Fixed projectRoot default path**: Resetting settings now correctly restores `projectRoot` to `/` instead of `./`, ensuring fresh installs work out-of-the-box
728
859
 
729
860
  ### 🆕 New Features
861
+
730
862
  - **Centralized Environment Variable Management**: Added comprehensive environment variable support with validation and security controls
731
863
  - **Enhanced Debug Logging**: Improved debug logging with environment variable support for better troubleshooting
732
864
  - **Secure Plugin Loading**: Added path sanitization for module loading to prevent security issues
733
865
 
734
866
  ### 🔒 Security Enhancements
867
+
735
868
  - **Enhanced Path Validation**: Strengthened path validation and file operations security
736
869
  - **Secure Module Loading**: Added path sanitization for all plugin/module loading operations
737
870
  - **Environment Variable Security**: Implemented centralized environment variable management with security filtering
738
871
 
739
872
  ### 🛠️ Improvements
873
+
740
874
  - **Refactored Configuration Handling**: Updated config system with integrated environment variable support
741
875
  - **Enhanced Logging System**: Improved debug logging capabilities with environment variable integration
742
876
  - **Better Error Handling**: Enhanced error messages and debugging information
743
877
 
744
878
  ### 📚 Documentation
879
+
745
880
  - **Environment Variables Guide**: Added comprehensive documentation for all supported environment variables
746
881
  - **Migration Notes**: Added clear migration guidance for projectRoot path changes
747
882
 
748
883
  ### 🔧 Technical Changes
884
+
749
885
  - **Package Version**: Updated to v1.10.2 across all files
750
886
  - **Security Patches**: Applied security improvements to path handling and file operations
751
887
 
752
888
  ## [1.10.1] - 2025-08-22
753
889
 
754
890
  ### Added
891
+
755
892
  - **New Terminal-Icons Utility**: Added `terminal-icons` utility for better emoji support in terminal output
756
893
  - **Enhanced UI Text Processing**: Improved text processing with terminal-safe fallbacks for special characters
757
894
 
758
895
  ### Fixed
896
+
759
897
  - Fixed infinite setup loop issue (Hotfix)
760
898
  - Resolved version string update inconsistencies
761
899
 
762
900
  ### Changed
901
+
763
902
  - Update version strings across all files from 1.9.1 to 1.10.1
764
903
  - Remove outdated package-lock.json and backup config
765
904
 
766
905
  ## [1.10.0] - 2025-08-22
767
906
 
768
907
  ### Added
908
+
769
909
  - **Enhanced Runtime API**: Improved framework-agnostic translation runtime with better TypeScript support
770
910
  - **Framework Detection**: Enhanced support for Next.js, Nuxt.js, and SvelteKit projects
771
911
  - **Reset Script**: Added `reset-for-publish.js` for clean package publishing
@@ -774,6 +914,7 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
774
914
  - **Caching System**: Added configuration caching to prevent redundant initialization
775
915
 
776
916
  ### Fixed
917
+
777
918
  - **DNR Functionality**: Fixed persistence of "Do Not Remind" settings across version updates
778
919
  - **Settings Management**: Improved error handling and logging for settings operations
779
920
  - **TypeScript Definitions**: Enhanced type safety and autocomplete for better developer experience
@@ -783,17 +924,17 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
783
924
  - **Path Resolution**: Fixed source directory path handling for CLI arguments
784
925
 
785
926
  ### Security
927
+
786
928
  - **Settings Persistence**: Secure handling of user preferences and framework settings
787
929
  - **Error Handling**: Improved error reporting for configuration issues
788
930
  - **Dependencies**: Maintained zero runtime dependencies for maximum security
789
931
  - **Shell Access**: Confirmed no child_process usage in setup-enforcer.js
790
932
  - **Input Validation**: Enhanced path validation for source and output directories
791
933
 
792
-
793
-
794
934
  ## [1.9.1] - 2025-08-14
795
935
 
796
936
  ### Added
937
+
797
938
  - **Python Support**: Full support for Python frameworks including Django, Flask, FastAPI, and generic Python projects
798
939
  - **Enhanced Framework Detection**: Improved accuracy for all supported frameworks with new Python detection algorithms
799
940
  - **Common Locale File**: Added `locales/common.json` for shared translation keys across frameworks
@@ -801,6 +942,7 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
801
942
  - **Exit/Cancel Option**: Added option to exit/cancel (press 0) during directory selection in fixer command
802
943
 
803
944
  ### Changed
945
+
804
946
  - **Security Overhaul**: Replaced all `child_process` imports with native Node.js APIs
805
947
  - **Performance**: Maintained 97% performance improvement while adding security enhancements
806
948
  - **Framework Detection**: Updated detection patterns for JavaScript, Python, Go, Java, and PHP
@@ -808,18 +950,21 @@ The v3.3.0 release resolves the actionable dynamic-require alert by eliminating
808
950
  - **Documentation**: Comprehensive updates to reflect new features and security improvements
809
951
 
810
952
  ### Removed
953
+
811
954
  - **Outdated Test Files**: Cleaned up test directories and removed deprecated test scripts
812
955
  - **Debug Tools**: Removed unused benchmark and package test files
813
956
  - **Shell Dependencies**: Eliminated all shell command dependencies
814
957
  - **Legacy Files**: Removed outdated configuration and development files
815
958
 
816
959
  ### Security
960
+
817
961
  - **Zero Vulnerabilities**: Successfully passed security audit with 0 vulnerabilities
818
962
  - **Memory Safety**: Enhanced memory-safe operations throughout the codebase
819
963
  - **Input Validation**: Improved validation for all user inputs and file operations
820
964
  - **Dependency Cleanup**: Removed all shell-related dependencies
821
965
 
822
966
  ### Performance
967
+
823
968
  - **Zero Overhead**: Security enhancements added zero performance overhead
824
969
  - **Python Detection**: Minimal overhead from new Python framework detection
825
970
  - **Memory Usage**: Maintained <2MB memory usage for all operations